wdgarc88 at gmail.com
Sat May 1 11:37:32 UTC 2021
OKi, I assume that was same as
dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -f - guiltyparty.net
Which is in our internals wiki for all these years (predate my employment
So you mean to say when it print out
IN DS 45701 13 1 5422E9...
IN DS 45701 13 2 qwertyE9...
we never needed 45701 13 1 5422E9 only 45701 13 2 qwertyE9 ?
and we only need run
dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -2 -f - guiltyparty.net
and enter in just that one entry? 45701 13 2 qwertyE to the DS in domain
and we have been upload both all this years was wrong ?
way we been do it is instruction from wiki in full, more or less which I
worked back in the day,
dnssec-keygen -r /dev/urandom -a rsasha1 -b 1024 -K keys/ -n ZONE foo.net
dnssec-keygen -r /dev/urandom -a rsasha1 -b 4096 -K keys/ -n ZONE -f KSK
add into zone file
dnssec-signzone -a -e +9590400 -K keys/ -N INCREMENT foo.net
then get DS and add both info registrar from dig (like above)
foo.net. IN DS 1234 5 1 .....
foo.net. IN DS 1234 5 2 .....
which stretch memory back to 2012 domain registrasr wanted both
hrmm, now I start to understand why not many use DNSSEC so confusing to
those who not
do this every day, or so many instructions around nobody knows what works
But we getting there :->
On Sat, May 1, 2021 at 8:25 PM Tony Finch <dot at dotat.at> wrote:
> Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> > One thing I note, all check say everything is good, but when using
> > it says secure, shows the ecd... but also puts up warnings that I am
> > alg 13 but digest 1 (sha1), which is not allowed,
> I guess the "digest 1" is referring to your DS records. In my guide I
> said, get the DS record for the new algorithm like this:
> dnssec-dsfromkey -2 Kbotolph.cam.ac.uk.+013+YYYYY
> The -2 option forces SHA-2 and avoids the deprecated SHA-1 hash.
> Old versions of BIND by default print both SHA1 and SHA2 DS records, and
> it's relatively common for zones to have both kinds of DS record in their
> SHA1 DS records are now discouraged so it's best to replace them with
> SHA2, or just delete them if you have both kinds of DS record.
> f.anthony.n.finch <dot at dotat.at> https://dotat.at/
> harness technological change to human advantage
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users