A few conceptual question about dnssec.
kob6558 at gmail.com
Sat Mar 3 16:51:40 UTC 2012
On Fri, Mar 2, 2012 at 11:17 PM, dE . <de.techno at gmail.com> wrote:
> On 02/18/12 00:36, Gaurav kansal wrote:
> Firstly, where do we get the public key for the DS records?
> Can you clarify your question???
> Second, why do I get multiple DS records as response? –
> You will always get a 2 DS Records in response. One for SHA-1 and second for
> I was reading the RFCs, but according to that, there's no provision of
> SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman
> (appendix A1)
And RFC4024 is seven years old. No SHA256 back then.
See RFC6014 which allows IANA to assign new algorithm numbers as
needed without a new RFC. SHA256 is the current preferred algorithm,
while SHA-1 is still routinely used as some DNSSEC software may not
support SHA256 yet. Both MD5 and Diffie-Hellman are obsolete. I
suspect SHA-1 will be deprecated soon. I am unaware of any DNSSEC
software that does not support SHA256 at this time, but I suspect
someone, somewhere is running it.
R. Kevin Oberman, Network Engineer
E-mail: kob6558 at gmail.com
More information about the bind-users