DNSSEC upgrade

Edwardo Garcia wdgarc88 at gmail.com
Sat May 1 12:55:56 UTC 2021


Thank you!  I have now corrected our ancient internal wiki so we now have
learned how it goes
Very much appreciate your patience and help, now I can start my weekend :->


On Sat, May 1, 2021 at 10:31 PM Tony Finch <dot at dotat.at> wrote:

> Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> >
> > So you mean to say when it print out
> >
> > IN DS 45701 13 1 5422E9...
> > IN DS 45701 13 2 qwertyE9...
> >
> > we never needed 45701 13 1 5422E9   only   45701 13 2 qwertyE9  ?
>
> Exactly, yes!
>
> > and we only need run
> >
> > dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -2 -f -
> guiltyparty.net
> >
> > and enter  in just that one entry?  45701 13 2 qwertyE to the DS in
> domain
> > reg?
>
> Correct!
>
> > and we have been upload both all this years was wrong ?
>
> Well, not wrong, but unnecessary. The tools generally encouraged everyone
> to publish both SHA1 and SHA2 DS records even though just SHA2 has been
> enough for more than 10 years and SHA1 has had known weaknesses for even
> longer.
>
> > hrmm, now I start to understand why not many use DNSSEC so confusing to
> > those who not do this every day, or so many instructions around nobody
> > knows what works
> >
> > But we getting there :->
>
> Yes, slowly...
>
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
> Shannon, Rockall: Variable 4 or less, becoming southwest 3 to 5 later.
> Slight, occasionally moderate in Rockall and at first in Shannon.
> Showers. Good.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210501/3b70641c/attachment.htm>


More information about the bind-users mailing list