> On 16 Oct 2024, at 23:00, Danilo Godec via bind-users
> <bind-users@lists.isc.org> wrote:
>
> Hi,
>
>
> I've been doing some more reading into DNSSEC and if I understand correctly,
> it is allowed to have multiple DS records for one KSK - with different digest
> types. Apparently, SHA-1 is deprecated and shouldn't be used anymore, while
> SHA-256 is mandatory and has to exist.
>
> That leaves SHA-384, which is optional and I can generate manually with
> 'dnssec-dsfromkey'. Since I have to ask my registrar to add DS records to
> parent zones (.eu in this case), I can just send them both records, right?
>
>
> Is it also possible to have dnssec-policy to generate both digest types as
> CDS records?
cds-digest-types { "sha-256"; "sha-384"; };
> Regards,
>
> Danilo
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
