On 3/3/20 8:59 AM, Tony Finch wrote: > Alan Batie <a...@peak.org> wrote: >> >> This is timely as I was about to ask if there's any reason to generate >> SHA1 DNSKEY records? I should think that anything I care about can >> handle SHA256 these days... > > There are extremely strong reasons for NOT generating SHA1 DNSKEY records!
That was my thought, but the tools complain about not having both... # dnssec-verify -v 9 -I raw -o domain.com domain.com.signed Loading zone 'domain.com' from file 'domain.com.signed' Verifying the zone using the following algorithms: RSASHA256. Missing self-signed KSK for algorithm RSASHA1 Missing ZSK for algorithm RSASHA256 The zone is not fully signed for the following algorithms: RSASHA1 RSASHA256. dnssec-verify: fatal: DNSSEC completeness test failed. Still working out which ones it thinks are missing, as both appear to be there - it would be nice if the tool was more specific...
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
