[Pdns-users] DS records to publish

Pieter Lexis pieter.lexis at powerdns.com
Mon Apr 24 08:23:35 UTC 2017

Hi Siniša,

On Mon, 24 Apr 2017 04:14:56 +0200
Siniša Burina <sburina at gmail.com> wrote:

> After securing the zone, pdnsutil show-zone <domain.com> shows four DS records with various digest
> types. Which one should be published upstream, or should I publish all of them?

This depends on the registry of the TLD, some have specific demands for certain DS algorithms while others prefer to get the DNSKEY record and create their own DS records from that.
If you can choose, algorithm 1 and 2 (SHA1 and SHA256) are accepted by all validators and 4 (SHA384) is nice to have as well.

Hope this helps! Best regards,

Pieter Lexis

Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list