<div dir="ltr"><div>Hi,</div><div><br></div>Thanks for this confirmation. I had our registrar remove the digest algorithm SHA1 DS<br>entry and this has worked as expected. No errors or warnings at any DNSSEC checkers.<br><br>Maybe in the future dnssec-signzone won't generate the deprecated entry to begin with.<div><br><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Sep 20, 2022 at 3:44 PM Mark Elkins <<a href="mailto:mje@posix.co.za">mje@posix.co.za</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Just remove the type-1 digest from the domain registrar.</p>
<p>In the future - only upload type type-2 version.<br>
</p>
<div>On 2022/09/20 20:32, frank picabia
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div>The algorithm migration I made to 8 has worked well.<br>
Getting green lights on DNSSEC checkers, etc.</div>
<div><br>
</div>
<div>The only odd bit is some warnings at <a href="http://DNSVIS.NET" target="_blank">DNSVIS.NET</a><br>
about DS records using digest algorithm 1.</div>
<div><br>
<span style="color:rgb(51,51,51);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:12.0224px;background-color:rgb(255,250,143)">DNSSEC
specification prohibits signing with DS records that use
digest algorithm 1 (SHA-1).</span><br>
<br>
</div>
<div>Somehow the way I do the zone signing results in 2 pairs of
DS<br>
records - one with digest algorithm 2 and one with algorithm
1.</div>
<div><br>
This is the command I've been running lately:<br>
<br>
</div>
<div>/sbin/dnssec-signzone -A -3 - -N keep -o <a href="http://mydomain.ca" target="_blank">mydomain.ca</a>
-t -f forward/mydomain.ca.signed forward/<a href="http://mydomain.ca" target="_blank">mydomain.ca</a><br>
</div>
<div><br>
</div>
<div>As per the howtos I followed years ago, I've provided the
domain registrar<br>
with both DS key records (one key number, two digest
algorithms).<br>
<br>
<a href="http://mydomain.ca" target="_blank">mydomain.ca</a>.
IN DS 20084 8 1 42419294EC592BFE044D256126F0420212E4E619<br>
<a href="http://mydomain.ca" target="_blank">mydomain.ca</a>.
IN DS 20084 8 2
827039A146CD8CD4528627BCB1351219FA7C36CFA54F702F2592047DEFE9C416<br>
<br>
In the diagram at <a href="http://DNSVIS.NET" target="_blank">DNSVIS.NET</a>, it looks like the DS
with alg 1<br>
is dangling at the top level domain (.ca) with the yellow
warning as per above,<br>
while the alg 2 links to my domain's DNSKEY properly.<br>
<br>
How should I tidy up this digest algo 1? Do I simply remove
it at the domain registrar,<br>
or is there a better way to run dnssec-signzone?<br>
<br>
<br>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
</blockquote>
<div>-- <br>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a href="mailto:mje@posix.co.za" target="_blank">mje@posix.co.za</a> Tel: <a href="tel:+27826010496" target="_blank">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a href="https://ftth.posix.co.za" target="_blank">https://ftth.posix.co.za</a><br>
<br>
<img src="cid:18365a05c89a1b100691" alt="Posix
Systems" width="250" height="165"><img src="cid:18365a05c89536060ae2" alt="VCARD for
MJ Elkins" title="VCARD, Scan me please!" width="164" height="164"><br>
</p>
</div>
</div>
</blockquote></div>