A few conceptual question about dnssec.
Mark Andrews
marka at isc.org
Sat Mar 3 20:48:54 UTC 2012
In message <CAN6yY1vu9ecaBviNdLmPuFQfJj47jq_BEEjdWZ8D-jsxVdOK7g at mail.gmail.com>
, Kevin Oberman writes:
> On Fri, Mar 2, 2012 at 11:17 PM, dE . <de.techno at gmail.com> wrote:
> > On 02/18/12 00:36, Gaurav kansal wrote:
> >
> >
> >
> >
> >
> > Firstly, where do we get the public key for the DS records?
> >
> > Can you clarify your question???
> >
> >
> >
> > Second, why do I get multiple DS records as response? =96
> >
> > You will always get a 2 DS Records in response. One for SHA-1 and second =
> for
> > SHA-256.
> >
> >
> > I was reading the RFCs, but according to that, there's no provision of
> > SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman
> > (appendix A1)
>
> And RFC4024 is seven years old. No SHA256 back then.
>
> See RFC6014 which allows IANA to assign new algorithm numbers as
> needed without a new RFC. SHA256 is the current preferred algorithm,
> while SHA-1 is still routinely used as some DNSSEC software may not
> support SHA256 yet. Both MD5 and Diffie-Hellman are obsolete. I
> suspect SHA-1 will be deprecated soon. I am unaware of any DNSSEC
> software that does not support SHA256 at this time, but I suspect
> someone, somewhere is running it.
Additionally it helps to read the correct table, "A.2. DNSSEC Digest Types".
SHA1 and SHA256 refer to digest types.
RSAMD5 (not just MD5) and Diffie-Hellman are DNSSEC Algorithm Types.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list