Changes BIND 9.15+ source distribution (gz -> xz, and SHA1 deprecation)

Alan Batie alan at
Wed Mar 4 00:05:26 UTC 2020

On 3/3/20 8:59 AM, Tony Finch wrote:
> Alan Batie <alan at> wrote:
>> This is timely as I was about to ask if there's any reason to generate
>> SHA1 DNSKEY records?  I should think that anything I care about can
>> handle SHA256 these days...
> There are extremely strong reasons for NOT generating SHA1 DNSKEY records!

That was my thought, but the tools complain about not having both...

# dnssec-verify -v 9 -I raw -o
Loading zone '' from file ''
Verifying the zone using the following algorithms: RSASHA256.
Missing self-signed KSK for algorithm RSASHA1
Missing ZSK for algorithm RSASHA256
The zone is not fully signed for the following algorithms: RSASHA1
dnssec-verify: fatal: DNSSEC completeness test failed.

Still working out which ones it thinks are missing, as both appear to be
there - it would be nice if the tool was more specific...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4036 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the bind-users mailing list