Hi, Thanks for this confirmation. I had our registrar remove the digest algorithm SHA1 DS entry and this has worked as expected. No errors or warnings at any DNSSEC checkers.
Maybe in the future dnssec-signzone won't generate the deprecated entry to begin with. On Tue, Sep 20, 2022 at 3:44 PM Mark Elkins <m...@posix.co.za> wrote: > Just remove the type-1 digest from the domain registrar. > > In the future - only upload type type-2 version. > On 2022/09/20 20:32, frank picabia wrote: > > > The algorithm migration I made to 8 has worked well. > Getting green lights on DNSSEC checkers, etc. > > The only odd bit is some warnings at DNSVIS.NET > about DS records using digest algorithm 1. > > DNSSEC specification prohibits signing with DS records that use digest > algorithm 1 (SHA-1). > > Somehow the way I do the zone signing results in 2 pairs of DS > records - one with digest algorithm 2 and one with algorithm 1. > > This is the command I've been running lately: > > /sbin/dnssec-signzone -A -3 - -N keep -o mydomain.ca -t -f > forward/mydomain.ca.signed forward/mydomain.ca > > As per the howtos I followed years ago, I've provided the domain registrar > with both DS key records (one key number, two digest algorithms). > > mydomain.ca. IN DS 20084 8 1 42419294EC592BFE044D256126F0420212E4E619 > mydomain.ca. IN DS 20084 8 2 > 827039A146CD8CD4528627BCB1351219FA7C36CFA54F702F2592047DEFE9C416 > > In the diagram at DNSVIS.NET, it looks like the DS with alg 1 > is dangling at the top level domain (.ca) with the yellow warning as per > above, > while the alg 2 links to my domain's DNSKEY properly. > > How should I tidy up this digest algo 1? Do I simply remove it at the > domain registrar, > or is there a better way to run dnssec-signzone? > > > > > -- > > Mark James ELKINS - Posix Systems - (South) Africa > m...@posix.co.za Tel: +27.826010496 <+27826010496> > For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za > > [image: Posix Systems][image: VCARD for MJ Elkins] >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
