DS digest type(s)
Anand Buddhdev
anandb at ripe.net
Wed Oct 16 12:57:36 UTC 2024
On 16/10/2024 14:00, Danilo Godec via bind-users wrote:
Hi Danilo,
> I've been doing some more reading into DNSSEC and if I understand
> correctly, it is allowed to have multiple DS records for one KSK - with
> different digest types. Apparently, SHA-1 is deprecated and shouldn't be
> used anymore, while SHA-256 is mandatory and has to exist.
That is correct.
> That leaves SHA-384, which is optional and I can generate manually with
> 'dnssec-dsfromkey'. Since I have to ask my registrar to add DS records
> to parent zones (.eu in this case), I can just send them both records,
> right?
You can, but it doesn't really enhance the security, and only increases
the response size of queries for your DS records. A single SHA-256 DS
hash is sufficient.
Regards,
Anand
More information about the bind-users
mailing list