Re: Bind 9.11 serving up false answers for a single domain. (OT)

2021-02-11 Thread Ondřej Surý
Thanks! That was the response I was looking for. Much appreciated! -- Ondřej Surý (He/Him) ond...@isc.org > On 11. 2. 2021, at 9:03, stuart@registry.godaddy wrote: > > Good to know. > > Will attach a task to the next our next KSK roll process. Should halve the > number of SHA1 DS's in the root

Re: Bind 9.11 serving up false answers for a single domain. (OT)

2021-02-11 Thread Stuart@registry.godaddy
Good to know. Will attach a task to the next our next KSK roll process. Should halve the number of SHA1 DS's in the root. Will also tweak some of our other DNSSEC process documentation to stop providing them. Stuart On 11/2/21, 6:49 pm, "bind-users on behalf of Ondřej Surý" wrote: Not

Re: Bind 9.11 serving up false answers for a single domain. (OT)

2021-02-11 Thread Stuart@registry.godaddy
Original Message- From: mailto:Stuart@registry.godaddy [mailto:Stuart@registry.godaddy] Sent: Wednesday, February 10, 2021 7:20 PM To: John W. Blue; bind-users Subject: Re: Bind 9.11 serving up false answers for a single domain. (OT) Ah, SHA1 DS record or an RSASHA256 DNSKEY, yes. Stu

Re: Bind 9.11 serving up false answers for a single domain. (OT)

2021-02-10 Thread Ondřej Surý
> On 11. 2. 2021, at 7:01, Stuart@registry.godaddy wrote: > > It's one of those old compatibility things. Also called *downgrade attack vector*. Stuart, there’s absolutely no reason to keep any SHA1 in the DNS at the time I am writing this message. Cheers, Ondrej -- Ondřej Surý (He/Him) ond...

Re: Bind 9.11 serving up false answers for a single domain. (OT)

2021-02-10 Thread Mark Elkins
gistry.godaddy] Sent: Wednesday, February 10, 2021 5:24 PM To: John W. Blue; bind-users Subject: Re: Bind 9.11 serving up false answers for a single domain. (OT) If you look closer, you’ll see that ‘us.’ is RSASHA256. ‘state.ma.us.’ however, is deleg

Re: Bind 9.11 serving up false answers for a single domain. (OT)

2021-02-10 Thread Stuart@registry.godaddy
ddy [mailto:Stuart@registry.godaddy] Sent: Wednesday, February 10, 2021 7:20 PM To: John W. Blue; bind-users Subject: Re: Bind 9.11 serving up false answers for a single domain. (OT) Ah, SHA1 DS record or an RSASHA256 DNSKEY, yes. Stuart On 11/2/21, 11:42 am, "bind-

RE: Bind 9.11 serving up false answers for a single domain. (OT)

2021-02-10 Thread John W. Blue via bind-users
serving up false answers for a single domain. (OT) Ah, SHA1 DS record or an RSASHA256 DNSKEY, yes. Stuart On 11/2/21, 11:42 am, "bind-users on behalf of John W. Blue via bind-users" wrote: Notice: This email is from an external sender. Well .. as best as I can tell ..

Re: Bind 9.11 serving up false answers for a single domain. (OT)

2021-02-10 Thread Stuart@registry.godaddy
30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 -Original Message- From: Stuart@registry.godaddy [mailto:Stuart@registry.godaddy] Sent: Wednesday, February 10, 2021 5:24 PM To: John W. Blue; bind-users Subject: Re: Bind 9.11 serving up false answers for a single domain. (OT

RE: Bind 9.11 serving up false answers for a single domain. (OT)

2021-02-10 Thread John W. Blue via bind-users
DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 -Original Message- From: Stuart@registry.godaddy [mailto:Stuart@registry.godaddy] Sent: Wednesday, February 10, 2021 5:24 PM To: John W. Blue; bind-users Subject: Re: Bind 9.11 serving up false answers

Re: Bind 9.11 serving up false answers for a single domain. (OT)

2021-02-10 Thread Stuart@registry.godaddy
If you look closer, you’ll see that ‘us.’ is RSASHA256. ‘state.ma.us.’ however, is delegated to the state officials of the Commonwealth of Massachusetts and is indeed RSASHA1NSEC3. Stuart ... one of the guy’s that does the DNSSEC for US TLD. From: bind-users on behalf of "John W. Blue via b