DS digest type(s)
Robert Wagner
rwagner at tesla.net
Wed Oct 16 12:15:13 UTC 2024
Our preference would be to at least allow SHA-384 and SHA-512 per the CNSA 2.0 requirements: CSA_CNSA_2.0_ALGORITHMS_.PDF (defense.gov)<https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF>
My understanding is this will be the base requirement for all US Government cryptography.
RW
________________________________
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Danilo Godec via bind-users <bind-users at lists.isc.org>
Sent: Wednesday, October 16, 2024 8:00 AM
To: bind-users at lists.isc.org <bind-users at lists.isc.org>
Subject: DS digest type(s)
This email originated from outside of TESLA
Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi,
I've been doing some more reading into DNSSEC and if I understand
correctly, it is allowed to have multiple DS records for one KSK - with
different digest types. Apparently, SHA-1 is deprecated and shouldn't be
used anymore, while SHA-256 is mandatory and has to exist.
That leaves SHA-384, which is optional and I can generate manually with
'dnssec-dsfromkey'. Since I have to ask my registrar to add DS records
to parent zones (.eu in this case), I can just send them both records,
right?
Is it also possible to have dnssec-policy to generate both digest types
as CDS records?
Regards,
Danilo
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241016/f0f664be/attachment.htm>
More information about the bind-users
mailing list