Edwardo Garcia <wdgar...@gmail.com> wrote: > One thing I note, all check say everything is good, but when using dnsviz, > it says secure, shows the ecd... but also puts up warnings that I am using > alg 13 but digest 1 (sha1), which is not allowed,
I guess the "digest 1" is referring to your DS records. In my guide I said, get the DS record for the new algorithm like this: dnssec-dsfromkey -2 Kbotolph.cam.ac.uk.+013+YYYYY The -2 option forces SHA-2 and avoids the deprecated SHA-1 hash. Old versions of BIND by default print both SHA1 and SHA2 DS records, and it's relatively common for zones to have both kinds of DS record in their delegation. SHA1 DS records are now discouraged so it's best to replace them with SHA2, or just delete them if you have both kinds of DS record. Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ harness technological change to human advantage _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users