<div dir="ltr">I wonder if any of your nameserver resolve it just fine, like 8.8.8.8 works, and the verification through verisign site gives no error, <div><a href="https://dnssec-analyzer.verisignlabs.com/gpo.gov">https://dnssec-analyzer.verisignlabs.com/gpo.gov</a><br></div><div><br></div><div>Also this one only warning instead of hard fail, or maybe these web check are not up-to-date:</div><div><a href="https://dnsviz.net/d/gpo.gov/dnssec/">https://dnsviz.net/d/gpo.gov/dnssec/</a><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 14, 2023 at 11:24 AM John W. Blue via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Keep in mind that SHA1 may not have been included by choice.<br>
<br>
If <a href="http://gpo.gov" rel="noreferrer" target="_blank">gpo.gov</a> is using Infoblox there is a, what I like to call, Infoblox-ism in play regarding DNSSEC where even if you choose RSA256 or RSA512 or whatever it will create a SHA1.<br>
<br>
John<br>
<br>
-----Original Message-----<br>
From: bind-users [mailto:<a href="mailto:bind-users-bounces@lists.isc.org" target="_blank">bind-users-bounces@lists.isc.org</a>] On Behalf Of Stephane Bortzmeyer<br>
Sent: Tuesday, March 14, 2023 10:17 AM<br>
To: Alexandra Yang<br>
Cc: <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
Subject: Re: DNSSEC error resolving <a href="http://gpo.gov" rel="noreferrer" target="_blank">gpo.gov</a> ?<br>
<br>
On Tue, Mar 14, 2023 at 11:08:28AM -0400, Alexandra Yang <<a href="mailto:drayales@gmail.com" target="_blank">drayales@gmail.com</a>> wrote a message of 154 lines which said:<br>
<br>
> I wonder if anyone can shed some light on this, our nameserver(BIND<br>
> 9.16.37 )keeps giving error on resolving <a href="http://gpo.gov" rel="noreferrer" target="_blank">gpo.gov</a> and <a href="http://ns3.gpo.gov" rel="noreferrer" target="_blank">ns3.gpo.gov</a>, here <br>
> are the<br>
> errors:<br>
<br>
"DS record for zone <a href="http://gpo.gov" rel="noreferrer" target="_blank">gpo.gov</a> with keytag 18496 was created by digest algorithm 1 (SHA-1) which is deprecated."<br>
<a href="https://zonemaster.fr/en/result/9161c8485223705c" rel="noreferrer" target="_blank">https://zonemaster.fr/en/result/9161c8485223705c</a><br>
<br>
--<br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>