Changes BIND 9.15+ source distribution (gz -> xz, and SHA1 deprecation)
Alan Batie
alan at peak.org
Wed Mar 4 00:05:26 UTC 2020
On 3/3/20 8:59 AM, Tony Finch wrote:
> Alan Batie <alan at peak.org> wrote:
>>
>> This is timely as I was about to ask if there's any reason to generate
>> SHA1 DNSKEY records? I should think that anything I care about can
>> handle SHA256 these days...
>
> There are extremely strong reasons for NOT generating SHA1 DNSKEY records!
That was my thought, but the tools complain about not having both...
# dnssec-verify -v 9 -I raw -o domain.com domain.com.signed
Loading zone 'domain.com' from file 'domain.com.signed'
Verifying the zone using the following algorithms: RSASHA256.
Missing self-signed KSK for algorithm RSASHA1
Missing ZSK for algorithm RSASHA256
The zone is not fully signed for the following algorithms: RSASHA1
RSASHA256.
dnssec-verify: fatal: DNSSEC completeness test failed.
Still working out which ones it thinks are missing, as both appear to be
there - it would be nice if the tool was more specific...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4036 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200303/42f03a79/attachment-0001.bin>
More information about the bind-users
mailing list