DS digest type(s)
Danilo Godec
danilo.godec at agenda.si
Wed Oct 16 12:00:58 UTC 2024
Hi,
I've been doing some more reading into DNSSEC and if I understand
correctly, it is allowed to have multiple DS records for one KSK - with
different digest types. Apparently, SHA-1 is deprecated and shouldn't be
used anymore, while SHA-256 is mandatory and has to exist.
That leaves SHA-384, which is optional and I can generate manually with
'dnssec-dsfromkey'. Since I have to ask my registrar to add DS records
to parent zones (.eu in this case), I can just send them both records,
right?
Is it also possible to have dnssec-policy to generate both digest types
as CDS records?
Regards,
Danilo
More information about the bind-users
mailing list