DNSSEC upgrade

Tony Finch dot at dotat.at
Sat May 1 10:25:04 UTC 2021

Edwardo Garcia <wdgarc88 at gmail.com> wrote:

> One thing I note, all check say everything is good, but when using dnsviz,
> it says secure, shows the ecd...  but also puts up warnings that I am using
> alg 13 but digest 1 (sha1), which is not allowed,

I guess the "digest 1" is referring to your DS records. In my guide I
said, get the DS record for the new algorithm like this:

	dnssec-dsfromkey -2 Kbotolph.cam.ac.uk.+013+YYYYY

The -2 option forces SHA-2 and avoids the deprecated SHA-1 hash.

Old versions of BIND by default print both SHA1 and SHA2 DS records, and
it's relatively common for zones to have both kinds of DS record in their

SHA1 DS records are now discouraged so it's best to replace them with
SHA2, or just delete them if you have both kinds of DS record.

f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
harness technological change to human advantage

More information about the bind-users mailing list