dnssec rookie question

Mon, 10 Jan 2022 07:49:56 -0800 

Hello,
today I implemented DNSSEC for a domain - by that I mean that the DS records have been published / added to TLD DNS today, while the zone has been signed a couple of days ago.
So a couple of hours later I went to https://dnsviz.net to see if everything seems OK and it reports one error and a couple of warnings. The error is: 


RRSIG sid.si/NSEC3PARAM alg 13, id 48018: The TTL of the RRset (3600) exceeds 
the value of the Original TTL field of the RRSIG RR covering it (0).


But if I use /dig/ for, I get this:

;; ANSWER SECTION:
sid.si.                 3600    IN      NSEC3PARAM 1 0 10 -
sid.si.                 3600    IN      RRSIG   NSEC3PARAM 13 2 0 
20220205091303 20220106091303 48018 sid.si. 
WVstsjBLSQNS+PaKbR3LAAALG7tlV+cuzLYUKgWDXKrFnxe+dxx5Tmsa 
pYIrabwi/sANBgEBMHtW1Z3NS7hRow==
Both records show TTL 3600 - which should be OK, I think? Where does dnsviz.net get that TTL 0? 




The warnings are:

sid.si/DS (alg 13, id 12603): DNSSEC specification prohibits signing with DS 
records that use digest algorithm 1 (SHA-1).

sid.si/DS (alg 13, id 12603): DNSSEC specification prohibits signing with DS 
records that use digest algorithm 1 (SHA-1).

sid.si/DS (alg 13, id 12603): DS records with digest type 1 (SHA-1) are ignored 
when DS records with digest type 2 (SHA-256) exist in the same RRset.

sid.si/DS (alg 13, id 12603): DS records with digest type 1 (SHA-1) are ignored 
when DS records with digest type 2 (SHA-256) exist in the same RRset.
This is probably due to the fact that Bind version included in CentOS 8 /dnssec-signzone/ creates two 'digests' in the /dsset/ file (sha-1 and sha-256 - which is what I've sent to the domain registrar to include), while newer Bind versions only create one... 


Is including SHA-1 bad in some way? Should I change that?



  Thanks,

     Danilo

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to