DNSSEC using alg=7

DNSviz shows warnings on RRSIG due to alg=7 while i have alg=8 and alg=13 also and typically use those today. Is there a set of steps to clean up older algorithm values in my DNSSEC?

WARNING: RRSIG [REDACTED].com/SOA [Error for each: A, AAA, DNSKEY … etc] alg 7, id 35027: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).

Should dnssec be removed at registrar before said dnssec modifications? Any other tips/insight? I have been running this server for about 5 years and assume older dnssec algo used years ago may carry forward?


[edit: added dnsviz screenshot - REDACTED Actual domain name tested]

Tools I’m using to test DNSSEC, and perhaps others might recommend something else or even cli commands best to use for testing also:

https://dnsviz.net/ | Zonemaster.se | https://dnssec-debugger.verisignlabs.com/

Similar errors reported to what I saw and inquired about in my prior opening post: Zonemaster.net - Domain check

Adding notes for future assistance to others searching this topic:

Having NS2 point to another IP as best practice

Probably Ok

My remaining question is: Would I ever want to use a DNSSEC analysis to determine DNSKEY values and add that to a DNS for domain on cloudflare dns and also cloudflare is my registrar domain since I can’t change the dnssec record cloudflare adds when enabled or just leave it off for domains registeredt at cloudflare?

And is Multi-signer DNSSEC a toggle (ON or OFF - default is off) I’d want to use for anything MIAB related on my cloudflare domain I’m using for email? (Cloudflare explains this as: Multi-signer DNSSEC allows Cloudflare and your other authoritative DNS providers to serve the same zone and have DNSSEC enabled at the same time.)

Edit: added resources & new questions I located after OP.

For a different domain on my MIAB server that I just added, I get what appears to be a better posture and no warnings. See diagram and again i remove my actual domain and added REDACTED.com to keep my domain private.

I’d love to gain a better understanding of this from DNSviz.net but may it’s not necessary to understand as everything is working and I have good send alignment results for my emails.

For the domain with warning I might try using a different DNSSEC Key Tag option and give it a few days to see if that solves the warnings.