Re: DS keys with 2 digest algorithms

Maybe in the future dnssec-signzone won't generate the deprecated entry to begin with. BIND 9.16.0 stopped generating SHA1 digests [1] : "DS and CDS records are now generated with SHA-256 digests only, instead of both SHA-1 and SHA-256. This affects the default output of

Re: DS keys with 2 digest algorithms

Hi, Thanks for this confirmation. I had our registrar remove the digest algorithm SHA1 DS entry and this has worked as expected. No errors or warnings at any DNSSEC checkers. Maybe in the future dnssec-signzone won't generate the deprecated entry to begin with. On Tue, Sep 20, 2022 at 3:44

Re: DS keys with 2 digest algorithms

On 20. 09. 22 20:32, frank picabia wrote: The algorithm migration I made to 8 has worked well. Getting green lights on DNSSEC checkers, etc. The only odd bit is some warnings at DNSVIS.NET about DS records using digest algorithm 1. DNSSEC specification prohibits signing

DS keys with 2 digest algorithms

The algorithm migration I made to 8 has worked well. Getting green lights on DNSSEC checkers, etc. The only odd bit is some warnings at DNSVIS.NET about DS records using digest algorithm 1. DNSSEC specification prohibits signing with DS records that use digest algorithm 1 (SHA-1). Somehow the