OKi, I assume that was same as
dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -f - guiltyparty.net Which is in our internals wiki for all these years (predate my employment 2012 ) So you mean to say when it print out IN DS 45701 13 1 5422E9... IN DS 45701 13 2 qwertyE9... we never needed 45701 13 1 5422E9 only 45701 13 2 qwertyE9 ? and we only need run dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -2 -f - guiltyparty.net and enter in just that one entry? 45701 13 2 qwertyE to the DS in domain reg? and we have been upload both all this years was wrong ? way we been do it is instruction from wiki in full, more or less which I guess worked back in the day, dnssec-keygen -r /dev/urandom -a rsasha1 -b 1024 -K keys/ -n ZONE foo.net dnssec-keygen -r /dev/urandom -a rsasha1 -b 4096 -K keys/ -n ZONE -f KSK foo.net add into zone file $INCLUDE keys/Kfoo.net.+005+6341.key $INCLUDE keys/Kfoo.net.+005+9847.key dnssec-signzone -a -e +9590400 -K keys/ -N INCREMENT foo.net rndc stuff then get DS and add both info registrar from dig (like above) foo.net. IN DS 1234 5 1 ..... foo.net. IN DS 1234 5 2 ..... which stretch memory back to 2012 domain registrasr wanted both hrmm, now I start to understand why not many use DNSSEC so confusing to those who not do this every day, or so many instructions around nobody knows what works But we getting there :-> On Sat, May 1, 2021 at 8:25 PM Tony Finch <d...@dotat.at> wrote: > Edwardo Garcia <wdgar...@gmail.com> wrote: > > > One thing I note, all check say everything is good, but when using > dnsviz, > > it says secure, shows the ecd... but also puts up warnings that I am > using > > alg 13 but digest 1 (sha1), which is not allowed, > > I guess the "digest 1" is referring to your DS records. In my guide I > said, get the DS record for the new algorithm like this: > > dnssec-dsfromkey -2 Kbotolph.cam.ac.uk.+013+YYYYY > > The -2 option forces SHA-2 and avoids the deprecated SHA-1 hash. > > Old versions of BIND by default print both SHA1 and SHA2 DS records, and > it's relatively common for zones to have both kinds of DS record in their > delegation. > > SHA1 DS records are now discouraged so it's best to replace them with > SHA2, or just delete them if you have both kinds of DS record. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> https://dotat.at/ > harness technological change to human advantage > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users