DS digest type(s)
Danilo Godec
danilo.godec at agenda.si
Wed Oct 16 12:21:35 UTC 2024
I've been looking at RFC8624 and there is no mention of SHA-512 - just this:
+--------+-----------------+-------------------+-------------------+
| Number | Mnemonics | DNSSEC Delegation | DNSSEC Validation |
+--------+-----------------+-------------------+-------------------+
| 0 | NULL (CDS only) | MUST NOT [*] | MUST NOT [*] |
| 1 | SHA-1 | MUST NOT | MUST |
| 2 | SHA-256 | MUST | MUST |
| 3 | GOST R 34.11-94 | MUST NOT | MAY |
| 4 | SHA-384 | MAY | RECOMMENDED |
+--------+-----------------+-------------------+-------------------+
Are there any newer RFCs or guidelines regarding DNSSEC algorithms?
Danilo
On 16. 10. 24 14:15, Robert Wagner wrote:
> Our preference would be to at least allow SHA-384 and SHA-512 per the
> CNSA 2.0 requirements: CSA_CNSA_2.0_ALGORITHMS_.PDF (defense.gov)
> <https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF>
>
>
>
> My understanding is this will be the base requirement for all US
> Government cryptography.
>
>
> RW
>
> ------------------------------------------------------------------------
> *From:* bind-users <bind-users-bounces at lists.isc.org> on behalf of
> Danilo Godec via bind-users <bind-users at lists.isc.org>
> *Sent:* Wednesday, October 16, 2024 8:00 AM
> *To:* bind-users at lists.isc.org <bind-users at lists.isc.org>
> *Subject:* DS digest type(s)
> This email originated from outside of TESLA
>
> Do not click links or open attachments unless you recognize the sender
> and know the content is safe.
>
> Hi,
>
>
> I've been doing some more reading into DNSSEC and if I understand
> correctly, it is allowed to have multiple DS records for one KSK - with
> different digest types. Apparently, SHA-1 is deprecated and shouldn't be
> used anymore, while SHA-256 is mandatory and has to exist.
>
> That leaves SHA-384, which is optional and I can generate manually with
> 'dnssec-dsfromkey'. Since I have to ask my registrar to add DS records
> to parent zones (.eu in this case), I can just send them both records,
> right?
>
>
> Is it also possible to have dnssec-policy to generate both digest types
> as CDS records?
>
>
> Regards,
>
> Danilo
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Lep pozdrav / Best regards,
--
Danilo Godec | Sistemska podpora / System Administration
AGENDA d.o.o. | Ul. Pohorskega bataljona 49, Sl-2000 Maribor
E: danilo.godec at agenda.si | T: +386 (0)2 421 61 31
Agenda OpenSystems <https://www.agenda.si/> | Največji slovenski
odprtokodni integrator
Red Hat v Sloveniji <http://www.redhat.si/> | Red Hat Premier Business
Partner
ElasticBox <http://elasticbox.eu/> | Poslovne rešitve v oblaku
Agenda d.o.o. <https://www.agenda.si/>
Izjava o omejitvi odgovornosti / Legal disclaimer statement
<https://www.agenda.si/index.php?id=228>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241016/e90153e5/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: y5cf6dEt01sjNTgs.webp
Type: image/webp
Size: 2176 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241016/e90153e5/attachment.webp>
More information about the bind-users
mailing list