DNSSEC upgrade

Edwardo Garcia wdgarc88 at gmail.com
Sat May 1 11:37:32 UTC 2021

OKi, I assume that was same as

dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -f - guiltyparty.net

Which is in our internals wiki for all these years (predate my employment
2012 )

So you mean to say when it print out

IN DS 45701 13 1 5422E9...
IN DS 45701 13 2 qwertyE9...

we never needed 45701 13 1 5422E9   only   45701 13 2 qwertyE9  ?

and we only need run

dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -2 -f - guiltyparty.net

and enter  in just that one entry?  45701 13 2 qwertyE to the DS in domain

and we have been upload both all this years was wrong ?

way we been do it is instruction from wiki in full, more or less which I
worked back in the day,

dnssec-keygen -r /dev/urandom -a rsasha1 -b 1024 -K keys/ -n ZONE foo.net
dnssec-keygen -r /dev/urandom -a rsasha1 -b 4096 -K keys/ -n ZONE -f KSK

add into zone file

$INCLUDE keys/Kfoo.net.+005+6341.key
$INCLUDE keys/Kfoo.net.+005+9847.key

dnssec-signzone -a -e +9590400 -K keys/ -N INCREMENT foo.net
rndc stuff

then get DS and add both info registrar from dig (like above)

foo.net. IN DS 1234 5 1 .....
foo.net. IN DS 1234 5 2 .....

which stretch memory back to 2012 domain registrasr wanted both

hrmm, now I start to understand why not many use DNSSEC so confusing to
those who not
do this every day, or so many instructions around nobody knows what works

But we getting there :->

On Sat, May 1, 2021 at 8:25 PM Tony Finch <dot at dotat.at> wrote:

> Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> > One thing I note, all check say everything is good, but when using
> dnsviz,
> > it says secure, shows the ecd...  but also puts up warnings that I am
> using
> > alg 13 but digest 1 (sha1), which is not allowed,
> I guess the "digest 1" is referring to your DS records. In my guide I
> said, get the DS record for the new algorithm like this:
>         dnssec-dsfromkey -2 Kbotolph.cam.ac.uk.+013+YYYYY
> The -2 option forces SHA-2 and avoids the deprecated SHA-1 hash.
> Old versions of BIND by default print both SHA1 and SHA2 DS records, and
> it's relatively common for zones to have both kinds of DS record in their
> delegation.
> SHA1 DS records are now discouraged so it's best to replace them with
> SHA2, or just delete them if you have both kinds of DS record.
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
> harness technological change to human advantage
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210501/de9dce1c/attachment.htm>

More information about the bind-users mailing list