Hello,
today I implemented DNSSEC for a domain - by that I mean that the DS
records have been published / added to TLD DNS today, while the zone has
been signed a couple of days ago.
So a couple of hours later I went to https://dnsviz.net to see if
everything seems OK and it reports one error and a couple of warnings.
The error is:
RRSIG sid.si/NSEC3PARAM alg 13, id 48018: The TTL of the RRset (3600) exceeds
the value of the Original TTL field of the RRSIG RR covering it (0).
But if I use /dig/ for, I get this:
;; ANSWER SECTION:
sid.si. 3600 IN NSEC3PARAM 1 0 10 -
sid.si. 3600 IN RRSIG NSEC3PARAM 13 2 0
20220205091303 20220106091303 48018 sid.si.
WVstsjBLSQNS+PaKbR3LAAALG7tlV+cuzLYUKgWDXKrFnxe+dxx5Tmsa
pYIrabwi/sANBgEBMHtW1Z3NS7hRow==
Both records show TTL 3600 - which should be OK, I think? Where does
dnsviz.net get that TTL 0?
The warnings are:
sid.si/DS (alg 13, id 12603): DNSSEC specification prohibits signing with DS
records that use digest algorithm 1 (SHA-1).
sid.si/DS (alg 13, id 12603): DNSSEC specification prohibits signing with DS
records that use digest algorithm 1 (SHA-1).
sid.si/DS (alg 13, id 12603): DS records with digest type 1 (SHA-1) are ignored
when DS records with digest type 2 (SHA-256) exist in the same RRset.
sid.si/DS (alg 13, id 12603): DS records with digest type 1 (SHA-1) are ignored
when DS records with digest type 2 (SHA-256) exist in the same RRset.
This is probably due to the fact that Bind version included in CentOS 8
/dnssec-signzone/ creates two 'digests' in the /dsset/ file (sha-1 and
sha-256 - which is what I've sent to the domain registrar to include),
while newer Bind versions only create one...
Is including SHA-1 bad in some way? Should I change that?
Thanks,
Danilo
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users