Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1

Chris Thompson cet1 at cam.ac.uk
Tue Dec 15 15:43:55 UTC 2009

On Dec 15 2009, Doug Barton wrote:

>While this reminder is timely and helpful, more welcome would be the
>news that BIND 9.6.2 is going to have actual support for
>RSASHA{256|512}. My cursory reading of the 9.6.2b1 code does not seem
>to indicate that it does, although I would be happy to be proven wrong.
>I personally don't think it's reasonable to expect everyone who wants
>to validate with BIND to upgrade to 9.7.x for a variety of reasons
>that I'd be happy to elucidate if they are not obvious.

Quoting from https://lists.isc.org/pipermail/bind-users/2009-October/077853.html

> Will you be adding RSASHA256 support in the 9.5.x and 9.6.x series? It
> might be a bit optimistic to expect everyone to move to 9.7.x by 2010-07-01,
> if that's when the root zone is going to be *really* signed (with RSASHA256,
> according to current reports).

(Evan Hunt)
> Not 9.5.x, as it lacks NSEC3 support.
> Adding SHA-2 to 9.6.x would violate our policy of making major
> functional changes only in major releases, so I don't expect we'll
> do that.  Given the odd circumstances you mentioned, I won't say for
> certain that we won't--but I doubt it.
> 9.7.0 is going to be final in a little over a month, which is fortunate
> timing.

(But it's not too obvious to me that adding support for a new signing
algorithm should necessarily be considered a "major functional change".)

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list