Changes BIND 9.15+ source distribution (gz -> xz, and SHA1 deprecation)
alan at peak.org
Wed Mar 4 00:05:26 UTC 2020
On 3/3/20 8:59 AM, Tony Finch wrote:
> Alan Batie <alan at peak.org> wrote:
>> This is timely as I was about to ask if there's any reason to generate
>> SHA1 DNSKEY records? I should think that anything I care about can
>> handle SHA256 these days...
> There are extremely strong reasons for NOT generating SHA1 DNSKEY records!
That was my thought, but the tools complain about not having both...
# dnssec-verify -v 9 -I raw -o domain.com domain.com.signed
Loading zone 'domain.com' from file 'domain.com.signed'
Verifying the zone using the following algorithms: RSASHA256.
Missing self-signed KSK for algorithm RSASHA1
Missing ZSK for algorithm RSASHA256
The zone is not fully signed for the following algorithms: RSASHA1
dnssec-verify: fatal: DNSSEC completeness test failed.
Still working out which ones it thinks are missing, as both appear to be
there - it would be nice if the tool was more specific...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4036 bytes
Desc: S/MIME Cryptographic Signature
More information about the bind-users