On 20. 09. 22 20:32, frank picabia wrote:
The algorithm migration I made to 8 has worked well.
Getting green lights on DNSSEC checkers, etc.
The only odd bit is some warnings at DNSVIS.NET <http://DNSVIS.NET>
about DS records using digest algorithm 1.
DNSSEC specification prohibits signing with DS records that use digest
algorithm 1 (SHA-1).
Somehow the way I do the zone signing results in 2 pairs of DS
records - one with digest algorithm 2 and one with algorithm 1.
This is the command I've been running lately:
/sbin/dnssec-signzone -A -3 - -N keep -o mydomain.ca
<http://mydomain.ca> -t -f forward/mydomain.ca.signed
forward/mydomain.ca <http://mydomain.ca>
As per the howtos I followed years ago, I've provided the domain registrar
with both DS key records (one key number, two digest algorithms).
mydomain.ca <http://mydomain.ca>. IN DS 20084 8 1
42419294EC592BFE044D256126F0420212E4E619
mydomain.ca <http://mydomain.ca>. IN DS 20084 8 2
827039A146CD8CD4528627BCB1351219FA7C36CFA54F702F2592047DEFE9C416
mydomain.ca does exist but does not show the warning you describe, so I
suppose you are not telling us the real domain name.
If you want help for your specific domain please follow advice given here:
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
TL;DR post the real domain name.
In the diagram at DNSVIS.NET <http://DNSVIS.NET>, it looks like the DS
with alg 1
is dangling at the top level domain (.ca) with the yellow warning as per
above,
while the alg 2 links to my domain's DNSKEY properly.
How should I tidy up this digest algo 1? Do I simply remove it at the
domain registrar,
or is there a better way to run dnssec-signzone?
Well _maybe_ you can simply drop the DS algo 1, but we cannot be sure
without checking on the real domain name.
--
Petr Špaček
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users