No, unfortunately there is no way to disable it. It just creates both
digests and there is no way to disable creation of SHA-1 in bind 9.11.
dnssec-dsfromkey -2 can be used to output only SHA256 digest.
I think automated process using dsset files does not offer switches to
not generate them. With manual signing process it should be possible to
delete SHA1 digest from dsset file before signing it with
dnssec-signzone. I doubt it would work smoothly with inline signing
directly from named. At least not in our RHEL8 version.
Petr
On 24. 03. 23 14:35, John W. Blue via bind-users wrote:
Petr,
Thanks for sharing that tidbit of info. Off the top of your head do you know
if that can be disabled?
John
-----Original Message-----
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Petr
Menšík
Sent: Friday, March 24, 2023 8:32 AM
To: bind-users@lists.isc.org
Subject: Re: DNSSEC error resolving gpo.gov ?
That is done also by bind 9.11, not only infoblox. It creates both digests on
common operations.
On 3/14/23 16:23, John W. Blue via bind-users wrote:
Keep in mind that SHA1 may not have been included by choice.
If gpo.gov is using Infoblox there is a, what I like to call, Infoblox-ism in
play regarding DNSSEC where even if you choose RSA256 or RSA512 or whatever it
will create a SHA1.
John
-----Original Message-----
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf
Of Stephane Bortzmeyer
Sent: Tuesday, March 14, 2023 10:17 AM
To: Alexandra Yang
Cc: bind-users@lists.isc.org
Subject: Re: DNSSEC error resolving gpo.gov ?
On Tue, Mar 14, 2023 at 11:08:28AM -0400, Alexandra Yang <draya...@gmail.com>
wrote a message of 154 lines which said:
I wonder if anyone can shed some light on this, our nameserver(BIND
9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov,
here are the
errors:
"DS record for zone gpo.gov with keytag 18496 was created by digest algorithm 1
(SHA-1) which is deprecated."
https://zonemaster.fr/en/result/9161c8485223705c
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
