drill -s example.com print still SHA1 digest #262

pemensik · 2024-12-03T17:07:06Z

I think it should print only sha256 digest, unless explicitly requested. digest alg 1 is not considered secure enough I think.

$ drill -s dnskey example.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 32989
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; example.com.	IN	DNSKEY

;; ANSWER SECTION:
example.com.	3600	IN	DNSKEY	256 3 13 ai2pvpijJjeNTpBu4yg6T375JqIStPtLABDTAILb+f4J7XpofUNXGQn6FpQvZ6CARWn2xQapbjGtDRjTf4qYxg== ;{id = 60915 (zsk), size = 256b}
example.com.	3600	IN	DNSKEY	257 3 13 kXKkvWU3vGYfTJGl3qBd4qhiWp5aRs7YtkCJxD2d+t7KXqwahww5IgJtxJT2yFItlggazyfXqJEVOmMJ3qT0tQ== ;{id = 370 (ksk), size = 256b}

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 105 msec
;; SERVER: 127.0.0.1
;; WHEN: Tue Dec  3 17:56:14 2024
;; MSG SIZE  rcvd: 189
;
; equivalent DS records for key 60915:
; sha1: example.com.	3600	IN	DS	60915 13 1 c95eeb716d6ed9b309f18e5dc1ca65df341478a1
; sha256: example.com.	3600	IN	DS	60915 13 2 74510431a97d383d2d8b9101643ee493a6ec754aafb7431295210d59b6e501f6
;
; equivalent DS records for key 370:
; sha1: example.com.	3600	IN	DS	370 13 1 19c524a336c67620cf29c8b8f7bd3b6456e05a5e
; sha256: example.com.	3600	IN	DS	370 13 2 be74359954660069d5c63d200c39f5603827d7dd02b56f120ee9f3a86764247c

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

drill -s example.com print still SHA1 digest #262

drill -s example.com print still SHA1 digest #262

pemensik commented Dec 3, 2024

drill -s example.com print still SHA1 digest #262

drill -s example.com print still SHA1 digest #262

Comments

pemensik commented Dec 3, 2024