2010/07/23

root dnskey used SHA-256 algorithm

Just when I thought it was the right time to include root KSK (dnskey) as the trust anchor for a resolver, I then realized that the root KSK was generated with SHA-256 algorithm:

trust-anchor: ". DS 19036 8 2 49AAC11D7B6F6446702E54A1607
371607A1A41855200FD2CE1CDDE32F24E8FB5"

My resolvers running Bind 9.5.2 and Unbound 1.3.4 can not support this algorithm.   Thats say, I am not able to use the root key as the trust anchor.  Time to move to Bind 9.7 and Unbound 1.4.4

.

No comments: