Re: DS keys with 2 digest algorithms

2022-09-22 Thread Jan-Piet Mens via bind-users 

Maybe in the future dnssec-signzone won't generate the deprecated entry to
begin with.


BIND 9.16.0 stopped generating SHA1 digests [1] :

"DS and CDS records are now generated with SHA-256 digests only, instead of 
both SHA-1 and SHA-256. This affects the default output of dnssec-dsfromkey, the dsset 
files generated by dnssec-signzone, the DS records added to a zone by dnssec-signzone 
based on keyset files, the CDS records added to a zone by named and dnssec-signzone based 
on “sync” timing parameters in key files, and the checks performed by 
dnssec-checkds."

-JP

[1] https://bind9.readthedocs.io/en/v9_16_6/notes.html
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DS keys with 2 digest algorithms

2022-09-22 Thread frank picabia 
Hi,

Thanks for this confirmation.  I had our registrar remove the digest
algorithm SHA1 DS
entry and this has worked as expected.  No errors or warnings at any DNSSEC
checkers.

Maybe in the future dnssec-signzone won't generate the deprecated entry to
begin with.



On Tue, Sep 20, 2022 at 3:44 PM Mark Elkins  wrote:

> Just remove the type-1 digest from the domain registrar.
>
> In the future - only upload type type-2 version.
> On 2022/09/20 20:32, frank picabia wrote:
>
>
> The algorithm migration I made to 8 has worked well.
> Getting green lights on DNSSEC checkers, etc.
>
> The only odd bit is some warnings at DNSVIS.NET
> about DS records using digest algorithm 1.
>
> DNSSEC specification prohibits signing with DS records that use digest
> algorithm 1 (SHA-1).
>
> Somehow the way I do the zone signing results in 2 pairs of DS
> records - one with digest algorithm 2 and one with algorithm 1.
>
> This is the command I've been running lately:
>
> /sbin/dnssec-signzone -A -3 - -N keep -o mydomain.ca -t -f
> forward/mydomain.ca.signed forward/mydomain.ca
>
> As per the howtos I followed years ago, I've provided the domain registrar
> with both DS key records (one key number, two digest algorithms).
>
> mydomain.ca. IN DS 20084 8 1 42419294EC592BFE044D256126F0420212E4E619
> mydomain.ca. IN DS 20084 8 2
> 827039A146CD8CD4528627BCB1351219FA7C36CFA54F702F2592047DEFE9C416
>
> In the diagram at DNSVIS.NET, it looks like the DS with alg 1
> is dangling at the top level domain (.ca) with the yellow warning as per
> above,
> while the alg 2 links to my domain's DNSKEY properly.
>
> How should I tidy up this digest algo 1?  Do I simply remove it at the
> domain registrar,
> or is there a better way to run dnssec-signzone?
>
>
>
>
> --
>
> Mark James ELKINS  -  Posix Systems - (South) Africa
> m...@posix.co.za   Tel: +27.826010496 <+27826010496>
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> [image: Posix Systems][image: VCARD for MJ Elkins]
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DS keys with 2 digest algorithms

2022-09-21 Thread Petr Špaček 

On 20. 09. 22 20:32, frank picabia wrote:


The algorithm migration I made to 8 has worked well.
Getting green lights on DNSSEC checkers, etc.

The only odd bit is some warnings at DNSVIS.NET 
about DS records using digest algorithm 1.

DNSSEC specification prohibits signing with DS records that use digest 
algorithm 1 (SHA-1).


Somehow the way I do the zone signing results in 2 pairs of DS
records - one with digest algorithm 2 and one with algorithm 1.

This is the command I've been running lately:

/sbin/dnssec-signzone -A -3 - -N keep -o mydomain.ca 
 -t -f forward/mydomain.ca.signed 
forward/mydomain.ca 


As per the howtos I followed years ago, I've provided the domain registrar
with both DS key records (one key number, two digest algorithms).

mydomain.ca . IN DS 20084 8 1 
42419294EC592BFE044D256126F0420212E4E619
mydomain.ca . IN DS 20084 8 2 
827039A146CD8CD4528627BCB1351219FA7C36CFA54F702F2592047DEFE9C416


mydomain.ca does exist but does not show the warning you describe, so I 
suppose you are not telling us the real domain name.


If you want help for your specific domain please follow advice given here:

https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

TL;DR post the real domain name.


In the diagram at DNSVIS.NET , it looks like the DS 
with alg 1
is dangling at the top level domain (.ca) with the yellow warning as per 
above,

while the alg 2 links to my domain's DNSKEY properly.

How should I tidy up this digest algo 1?  Do I simply remove it at the 
domain registrar,

or is there a better way to run dnssec-signzone?


Well _maybe_ you can simply drop the DS algo 1, but we cannot be sure 
without checking on the real domain name.


--
Petr Špaček

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DS keys with 2 digest algorithms

2022-09-20 Thread frank picabia 
The algorithm migration I made to 8 has worked well.
Getting green lights on DNSSEC checkers, etc.

The only odd bit is some warnings at DNSVIS.NET
about DS records using digest algorithm 1.

DNSSEC specification prohibits signing with DS records that use digest
algorithm 1 (SHA-1).

Somehow the way I do the zone signing results in 2 pairs of DS
records - one with digest algorithm 2 and one with algorithm 1.

This is the command I've been running lately:

/sbin/dnssec-signzone -A -3 - -N keep -o mydomain.ca -t -f
forward/mydomain.ca.signed forward/mydomain.ca

As per the howtos I followed years ago, I've provided the domain registrar
with both DS key records (one key number, two digest algorithms).

mydomain.ca. IN DS 20084 8 1 42419294EC592BFE044D256126F0420212E4E619
mydomain.ca. IN DS 20084 8 2
827039A146CD8CD4528627BCB1351219FA7C36CFA54F702F2592047DEFE9C416

In the diagram at DNSVIS.NET, it looks like the DS with alg 1
is dangling at the top level domain (.ca) with the yellow warning as per
above,
while the alg 2 links to my domain's DNSKEY properly.

How should I tidy up this digest algo 1?  Do I simply remove it at the
domain registrar,
or is there a better way to run dnssec-signzone?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users