Maybe in the future dnssec-signzone won't generate the deprecated entry to
begin with.
BIND 9.16.0 stopped generating SHA1 digests [1] :
"DS and CDS records are now generated with SHA-256 digests only, instead of
both SHA-1 and SHA-256. This affects the default output of dnssec-dsfromkey, the dsset
files generated by dnssec-signzone, the DS records added to a zone by dnssec-signzone
based on keyset files, the CDS records added to a zone by named and dnssec-signzone based
on “sync” timing parameters in key files, and the checks performed by
dnssec-checkds."
-JP
[1] https://bind9.readthedocs.io/en/v9_16_6/notes.html
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
