Re: DS keys with 2 digest algorithms

Wed, 21 Sep 2022 00:46:53 -0700 

On 20. 09. 22 20:32, frank picabia wrote:


The algorithm migration I made to 8 has worked well.
Getting green lights on DNSSEC checkers, etc.

The only odd bit is some warnings at DNSVIS.NET <http://DNSVIS.NET>
about DS records using digest algorithm 1.


DNSSEC specification prohibits signing with DS records that use digest 
algorithm 1 (SHA-1).


Somehow the way I do the zone signing results in 2 pairs of DS
records - one with digest algorithm 2 and one with algorithm 1.

This is the command I've been running lately:


/sbin/dnssec-signzone -A -3 - -N keep -o mydomain.ca 
<http://mydomain.ca> -t -f forward/mydomain.ca.signed 
forward/mydomain.ca <http://mydomain.ca>


As per the howtos I followed years ago, I've provided the domain registrar
with both DS key records (one key number, two digest algorithms).


mydomain.ca <http://mydomain.ca>. IN DS 20084 8 1 
42419294EC592BFE044D256126F0420212E4E619
mydomain.ca <http://mydomain.ca>. IN DS 20084 8 2 
827039A146CD8CD4528627BCB1351219FA7C36CFA54F702F2592047DEFE9C416



mydomain.ca does exist but does not show the warning you describe, so I 
suppose you are not telling us the real domain name.


If you want help for your specific domain please follow advice given here:

https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

TL;DR post the real domain name.



In the diagram at DNSVIS.NET <http://DNSVIS.NET>, it looks like the DS 
with alg 1
is dangling at the top level domain (.ca) with the yellow warning as per 
above,

while the alg 2 links to my domain's DNSKEY properly.


How should I tidy up this digest algo 1?  Do I simply remove it at the 
domain registrar,

or is there a better way to run dnssec-signzone?



Well _maybe_ you can simply drop the DS algo 1, but we cannot be sure 
without checking on the real domain name.


--
Petr Špaček

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to