Changes BIND 9.15+ source distribution (gz -> xz, and SHA1 deprecation)
Tony Finch
dot at dotat.at
Tue Mar 3 16:59:16 UTC 2020
Alan Batie <alan at peak.org> wrote:
>
> This is timely as I was about to ask if there's any reason to generate
> SHA1 DNSKEY records? I should think that anything I care about can
> handle SHA256 these days...
There are extremely strong reasons for NOT generating SHA1 DNSKEY records!
https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html
There are sadly still a lot of SHA1 zones out there, so it can't yet be
disabled outright, but we need to get rid of it as soon as possible.
https://www.dns.cam.ac.uk/news/2020-02-14-sha-mbles.html
I recommend that new SHA1 keys (algorithms 5 and 7) are never generated.
The only exception is to support routine ZSK rollovers for zones that are
already signed with algo 5 or 7. Don't do same-algorithm KSK rollovers in
these zones, do an algorithm rollover instead, as soon as possible, to
algorithm 13 (ECDSA P256) or 8 (RSA SHA256). For zones that are being
signed for the first time, use algorithm 13 or 8.
RSASHA256 is used by the root zone so it has been universally supported
for over 10 years. Algorithm rollovers are relatively easy now. (The bugs
in certain validating resolvers that made things tricky are long gone.)
https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
(I was near the end of a very belated algorithm rollover project when the
SHA-mbles collision was announced!)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Lyme Regis to Lands End including the Isles of Scilly: Northwest 4 or 5,
backing west 3, then backing southeast 5 or 6, then veering southwest later.
Moderate or rough in far west, otherwise slight or moderate. Showers then
fair, rain later. Good, occasionally moderate later.
More information about the bind-users
mailing list