On 10/01/2022 16:48, Danilo Godec via bind-users wrote:
Hi Danilo,
[snip]
I don't know what is causing the DNSViz error. Perhaps someone else may
see the issue.
sid.si/DS (alg 13, id 12603): DS records with digest type 1 (SHA-1) are
ignored when DS records with digest type 2 (SHA-256) exist in the same
RRset.
This is probably due to the fact that Bind version included in CentOS 8
/dnssec-signzone/ creates two 'digests' in the /dsset/ file (sha-1 and
sha-256 - which is what I've sent to the domain registrar to include),
while newer Bind versions only create one...
Is including SHA-1 bad in some way? Should I change that?
Having a DS record with a SHA-1 hash isn't bad, but it's pointless,
because you already have the stronger SHA-2 hash. Most modern resolvers
will ignore the SHA-1 hash. So just remove it.
Regards,
Anand Buddhdev
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
