Edwardo Garcia <wdgar...@gmail.com> wrote:
> One thing I note, all check say everything is good, but when using dnsviz,
> it says secure, shows the ecd... but also puts up warnings that I am using
> alg 13 but digest 1 (sha1), which is not allowed,
I guess the "digest 1" is referring to your DS records. In my guide I
said, get the DS record for the new algorithm like this:
dnssec-dsfromkey -2 Kbotolph.cam.ac.uk.+013+YYYYY
The -2 option forces SHA-2 and avoids the deprecated SHA-1 hash.
Old versions of BIND by default print both SHA1 and SHA2 DS records, and
it's relatively common for zones to have both kinds of DS record in their
delegation.
SHA1 DS records are now discouraged so it's best to replace them with
SHA2, or just delete them if you have both kinds of DS record.
Tony.
--
f.anthony.n.finch <d...@dotat.at> https://dotat.at/
harness technological change to human advantage
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
