On 16/10/2024 14:00, Danilo Godec via bind-users wrote:
Hi Danilo,
I've been doing some more reading into DNSSEC and if I understand correctly, it is allowed to have multiple DS records for one KSK - with different digest types. Apparently, SHA-1 is deprecated and shouldn't be used anymore, while SHA-256 is mandatory and has to exist.
That is correct.
That leaves SHA-384, which is optional and I can generate manually with 'dnssec-dsfromkey'. Since I have to ask my registrar to add DS records to parent zones (.eu in this case), I can just send them both records, right?
You can, but it doesn't really enhance the security, and only increases the response size of queries for your DS records. A single SHA-256 DS hash is sufficient.
Regards, Anand -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
