Edwardo Garcia <wdgar...@gmail.com> wrote: > > So you mean to say when it print out > > IN DS 45701 13 1 5422E9... > IN DS 45701 13 2 qwertyE9... > > we never needed 45701 13 1 5422E9 only 45701 13 2 qwertyE9 ?
Exactly, yes! > and we only need run > > dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -2 -f - guiltyparty.net > > and enter in just that one entry? 45701 13 2 qwertyE to the DS in domain > reg? Correct! > and we have been upload both all this years was wrong ? Well, not wrong, but unnecessary. The tools generally encouraged everyone to publish both SHA1 and SHA2 DS records even though just SHA2 has been enough for more than 10 years and SHA1 has had known weaknesses for even longer. > hrmm, now I start to understand why not many use DNSSEC so confusing to > those who not do this every day, or so many instructions around nobody > knows what works > > But we getting there :-> Yes, slowly... Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ Shannon, Rockall: Variable 4 or less, becoming southwest 3 to 5 later. Slight, occasionally moderate in Rockall and at first in Shannon. Showers. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users