I'm not sure whether this belongs here or in the dns-wg (or somewhere else?). I just updated the ds-rdata of one of our domain objects and realized that the RDNS checker does not support SHA-256, neither for the DS record nor as part of signature algorithm 8 (RSASHA256) ***RDNS: (related to set) INFO: 6199 8 2 03A50B02CC5FCBCC8071AD93212C923E8C399DE64AE7C042442E2DE2F0029592 ; uses a Digest type that is not implemented by this checker. We cannot verify if the chain of trust is intact. You should be conciously using digest types other than SHA1 ***RDNS: (related to ns2.switch.ch) INFO: The signature over DNSKEY is made with algorithm code 8 The checker does not implement this algorithm and can therefore not validate the chain of trust It is assumed that using algoritm type 8 is a conscious choice. SHA256 has been in use for both purposes for a number of years. Are there any plans to support it in the RDNS checker? Regards, Alex -- SWITCH Serving Swiss Universities -------------------------- Alexander Gall, Global LAN Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 15, direct +41 44 268 15 22 alexander.gall@switch.ch, http://www.switch.ch