DNSviz shows warnings on RRSIG due to alg=7 while i have alg=8 and alg=13 also and typically use those today. Is there a set of steps to clean up older algorithm values in my DNSSEC?
WARNING: RRSIG [REDACTED].com/SOA [Error for each: A, AAA, DNSKEY … etc] alg 7, id 35027: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
Should dnssec be removed at registrar before said dnssec modifications? Any other tips/insight? I have been running this server for about 5 years and assume older dnssec algo used years ago may carry forward?
Adding notes for future assistance to others searching this topic:
Having NS2 point to another IP as best practice
Probably Ok
My remaining question is: Would I ever want to use a DNSSEC analysis to determine DNSKEY values and add that to a DNS for domain on cloudflare dns and also cloudflare is my registrar domain since I can’t change the dnssec record cloudflare adds when enabled or just leave it off for domains registeredt at cloudflare?
And is Multi-signer DNSSEC a toggle (ON or OFF - default is off) I’d want to use for anything MIAB related on my cloudflare domain I’m using for email? (Cloudflare explains this as: Multi-signer DNSSEC allows Cloudflare and your other authoritative DNS providers to serve the same zone and have DNSSEC enabled at the same time.)
Edit: added resources & new questions I located after OP.
For a different domain on my MIAB server that I just added, I get what appears to be a better posture and no warnings. See diagram and again i remove my actual domain and added REDACTED.com to keep my domain private.
I’d love to gain a better understanding of this from DNSviz.net but may it’s not necessary to understand as everything is working and I have good send alignment results for my emails.
