The algorithm migration I made to 8 has worked well. Getting green lights on DNSSEC checkers, etc.
The only odd bit is some warnings at DNSVIS.NET about DS records using digest algorithm 1. DNSSEC specification prohibits signing with DS records that use digest algorithm 1 (SHA-1). Somehow the way I do the zone signing results in 2 pairs of DS records - one with digest algorithm 2 and one with algorithm 1. This is the command I've been running lately: /sbin/dnssec-signzone -A -3 - -N keep -o mydomain.ca -t -f forward/mydomain.ca.signed forward/mydomain.ca As per the howtos I followed years ago, I've provided the domain registrar with both DS key records (one key number, two digest algorithms). mydomain.ca. IN DS 20084 8 1 42419294EC592BFE044D256126F0420212E4E619 mydomain.ca. IN DS 20084 8 2 827039A146CD8CD4528627BCB1351219FA7C36CFA54F702F2592047DEFE9C416 In the diagram at DNSVIS.NET, it looks like the DS with alg 1 is dangling at the top level domain (.ca) with the yellow warning as per above, while the alg 2 links to my domain's DNSKEY properly. How should I tidy up this digest algo 1? Do I simply remove it at the domain registrar, or is there a better way to run dnssec-signzone?
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users