Changes BIND 9.15+ source distribution (gz -> xz, and SHA1 deprecation)

Tony Finch dot at dotat.at
Thu Mar 5 13:26:27 UTC 2020


Alan Batie <alan at peak.org> wrote:
>
> I'm letting named do the automatic signing/generation of RRSIG records,
> but unless I'm missing something, you still have to generate the DNSKEY
> records manually.  dnssec-verify is the tool in question complaining
> about not including RSASHA1 keys and signatures.

Oh whoops, sorry, I wasn't paying proper attention.

I think those errors from dnssec-verify look to me like you have an
RSASHA256 KSK and an RSASHA1 ZSK. Your key files should all have names
like K*+008+* not K*+005+*. In older versions of BIND it's easy to
accidentally get a bad key by forgetting the -a option to dnssec-keygen.

(BTW I prefer to talk about "keys" when I have the files with both the
public and private parts, and only talk about DNSKEYs when I'm referring
to the public parts published in zone files.)

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
a fair, free and open society


More information about the bind-users mailing list