Hi,
I've been doing some more reading into DNSSEC and if I understand correctly, it is allowed to have multiple DS records for one KSK - with different digest types. Apparently, SHA-1 is deprecated and shouldn't be used anymore, while SHA-256 is mandatory and has to exist.
That leaves SHA-384, which is optional and I can generate manually with 'dnssec-dsfromkey'. Since I have to ask my registrar to add DS records to parent zones (.eu in this case), I can just send them both records, right?
Is it also possible to have dnssec-policy to generate both digest types as CDS records?
Regards, Danilo -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
