<div dir="ltr"><div>OKi, I assume that was same as<br><br><br>dig @ns0 dnskey <a href="http://guiltyparty.net">guiltyparty.net</a> | dnssec-dsfromkey -f - <a href="http://guiltyparty.net">guiltyparty.net</a><br><br><br>Which is in our internals wiki for all these years (predate my employment 2012 )<br><br>So you mean to say when it print out<br><br>IN DS 45701 13 1 5422E9...<br>IN DS 45701 13 2 qwertyE9...<br><br>we never needed 45701 13 1 5422E9 only 45701 13 2 qwertyE9 ?<br><br>and we only need run<br><br>dig @ns0 dnskey <a href="http://guiltyparty.net">guiltyparty.net</a> | dnssec-dsfromkey -2 -f - <a href="http://guiltyparty.net">guiltyparty.net</a><br><br>and enter in just that one entry? 45701 13 2 qwertyE to the DS in domain reg?<br><br><br><br><br>and we have been upload both all this years was wrong ?<br><br><br>way we been do it is instruction from wiki in full, more or less which I guess<br>worked back in the day, <br><br>dnssec-keygen -r /dev/urandom -a rsasha1 -b 1024 -K keys/ -n ZONE <a href="http://foo.net">foo.net</a><br>dnssec-keygen -r /dev/urandom -a rsasha1 -b 4096 -K keys/ -n ZONE -f KSK <a href="http://foo.net">foo.net</a><br><br>add into zone file<br><br>$INCLUDE keys/Kfoo.net.+005+6341.key <br>$INCLUDE keys/Kfoo.net.+005+9847.key <br><br>dnssec-signzone -a -e +9590400 -K keys/ -N INCREMENT <a href="http://foo.net">foo.net</a><br>rndc stuff<br><br>then get DS and add both info registrar from dig (like above)<br><br><a href="http://foo.net">foo.net</a>. IN DS 1234 5 1 .....<br><a href="http://foo.net">foo.net</a>. IN DS 1234 5 2 .....<br><br>which stretch memory back to 2012 domain registrasr wanted both<br><br><br>hrmm, now I start to understand why not many use DNSSEC so confusing to those who not<br>do this every day, or so many instructions around nobody knows what works<br><br></div>But we getting there :-><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, May 1, 2021 at 8:25 PM Tony Finch <<a href="mailto:dot@dotat.at">dot@dotat.at</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Edwardo Garcia <<a href="mailto:wdgarc88@gmail.com" target="_blank">wdgarc88@gmail.com</a>> wrote:<br>
<br>
> One thing I note, all check say everything is good, but when using dnsviz,<br>
> it says secure, shows the ecd... but also puts up warnings that I am using<br>
> alg 13 but digest 1 (sha1), which is not allowed,<br>
<br>
I guess the "digest 1" is referring to your DS records. In my guide I<br>
said, get the DS record for the new algorithm like this:<br>
<br>
dnssec-dsfromkey -2 Kbotolph.cam.ac.uk.+013+YYYYY<br>
<br>
The -2 option forces SHA-2 and avoids the deprecated SHA-1 hash.<br>
<br>
Old versions of BIND by default print both SHA1 and SHA2 DS records, and<br>
it's relatively common for zones to have both kinds of DS record in their<br>
delegation.<br>
<br>
SHA1 DS records are now discouraged so it's best to replace them with<br>
SHA2, or just delete them if you have both kinds of DS record.<br>
<br>
Tony.<br>
-- <br>
f.anthony.n.finch <<a href="mailto:dot@dotat.at" target="_blank">dot@dotat.at</a>> <a href="https://dotat.at/" rel="noreferrer" target="_blank">https://dotat.at/</a><br>
harness technological change to human advantage<br>
<br>
</blockquote></div>