[dns-operations] DSSET File Entries

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Jul 27 16:59:46 UTC 2020

On Mon, Jul 27, 2020 at 02:30:19AM +0000, Mike Peters wrote:

> The dnssec-signzone command produced the expected
>   dsset-zonename
> File with two entries e.g.
>   example.com.    IN DS 16293 7 1 173543F8153BBCDF9B7A0E127A1E76A10A489748
>   example.com.    IN DS 16293 7 2 01F3E27E9DE840A99D81DE9BA26272FDEB9F1C40AA0CB8FACF31A5CA 56742F94

Both RSASHA1-NSEC3-SHA1(7) and DS RR type SHA1(1) are deprecated, and
SHOULD NOT be used.

Sign your zone with either RSASHA256(8) or ECDSAP256SHA256(13)
(preferred for better packet size and stronger keys for practical RSA
key sizes).

> Signing the same zone file now using ISC Bind 9.16.5 I see only one entry e.g.
>   example.com.    IN DS 63741 7 2 DA0B7F5FB60F1FC49A35C8DEC5CDD47185A9CAB5371C0C42B249F4B5 900E11BC

That's better, but you should switch to algorithm 8 or 13.

> I note that providers such as Cloudfare / ClouDNS still give examples requiring two entries as per the 9.11.1 output.

The examples are outdated.


More information about the dns-operations mailing list