DNSSEC error resolving gpo.gov ?

Petr Menšík pemensik at redhat.com
Tue Apr 4 10:27:05 UTC 2023 

No, unfortunately there is no way to disable it. It just creates both 
digests and there is no way to disable creation of SHA-1 in bind 9.11. 
dnssec-dsfromkey -2 can be used to output only SHA256 digest.

I think automated process using dsset files does not offer switches to 
not generate them. With manual signing process it should be possible to 
delete SHA1 digest from dsset file before signing it with 
dnssec-signzone. I doubt it would work smoothly with inline signing 
directly from named. At least not in our RHEL8 version.

Petr

On 24. 03. 23 14:35, John W. Blue via bind-users wrote:
> Petr,
>
> Thanks for sharing that tidbit of info.  Off the top of your head do you know if that can be disabled?
>
> John
>
> -----Original Message-----
> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Petr Menšík
> Sent: Friday, March 24, 2023 8:32 AM
> To: bind-users at lists.isc.org
> Subject: Re: DNSSEC error resolving gpo.gov ?
>
> That is done also by bind 9.11, not only infoblox. It creates both digests on common operations.
>
> On 3/14/23 16:23, John W. Blue via bind-users wrote:
>> Keep in mind that SHA1 may not have been included by choice.
>>
>> If gpo.gov is using Infoblox there is a, what I like to call, Infoblox-ism in play regarding DNSSEC where even if you choose RSA256 or RSA512 or whatever it will create a SHA1.
>>
>> John
>>
>> -----Original Message-----
>> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf
>> Of Stephane Bortzmeyer
>> Sent: Tuesday, March 14, 2023 10:17 AM
>> To: Alexandra Yang
>> Cc: bind-users at lists.isc.org
>> Subject: Re: DNSSEC error resolving gpo.gov ?
>>
>> On Tue, Mar 14, 2023 at 11:08:28AM -0400,  Alexandra Yang <drayales at gmail.com> wrote  a message of 154 lines which said:
>>
>>> I wonder if anyone can shed some light on this, our nameserver(BIND
>>> 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov,
>>> here are the
>>> errors:
>> "DS record for zone gpo.gov with keytag 18496 was created by digest algorithm 1 (SHA-1) which is deprecated."
>> https://zonemaster.fr/en/result/9161c8485223705c
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> --
> Petr Menšík
> Software Engineer, RHEL
> Red Hat, https://www.redhat.com/
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the bind-users mailing list