DS digest type(s)

Robert Wagner rwagner at tesla.net
Wed Oct 16 12:54:01 UTC 2024 

Correct. The RFC is a bit behind the whole post quantum crypto effort, but I would expect it to get updated with both Hashes and Lattice-based crypto in the upcoming years. This is more of a - 'here's where we will need to go over the next decade' rather than an issue with not following the existing standard.
With that in mind, it may be more useful for an experimental release rather than a production one (as DNS clients may not be able to understand the communications).

Hopefully, the cryptographic modules in BIND are flexible enough that adding new hashes or cipher suites is a minor configuration issue rather than an overhaul.

RW


________________________________
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Danilo Godec via bind-users <bind-users at lists.isc.org>
Sent: Wednesday, October 16, 2024 8:21 AM
To: bind-users at lists.isc.org <bind-users at lists.isc.org>
Subject: Re: DS digest type(s)

This email originated from outside of TESLA

Do not click links or open attachments unless you recognize the sender and know the content is safe.

I've been looking at RFC8624 and there is no mention of SHA-512 - just this:


   +--------+-----------------+-------------------+-------------------+
   | Number | Mnemonics       | DNSSEC Delegation | DNSSEC Validation |
   +--------+-----------------+-------------------+-------------------+
   | 0      | NULL (CDS only) | MUST NOT [*]      | MUST NOT [*]      |
   | 1      | SHA-1           | MUST NOT          | MUST              |
   | 2      | SHA-256         | MUST              | MUST              |
   | 3      | GOST R 34.11-94 | MUST NOT          | MAY               |
   | 4      | SHA-384         | MAY               | RECOMMENDED       |
   +--------+-----------------+-------------------+-------------------+


Are there any newer RFCs or guidelines regarding DNSSEC algorithms?


   Danilo




On 16. 10. 24 14:15, Robert Wagner wrote:
Our preference would be to at least allow SHA-384 and SHA-512 per the CNSA 2.0 requirements: CSA_CNSA_2.0_ALGORITHMS_.PDF (defense.gov)<https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF>


My understanding is this will be the base requirement for all US Government cryptography.


RW

________________________________
From: bind-users <bind-users-bounces at lists.isc.org><mailto:bind-users-bounces at lists.isc.org> on behalf of Danilo Godec via bind-users <bind-users at lists.isc.org><mailto:bind-users at lists.isc.org>
Sent: Wednesday, October 16, 2024 8:00 AM
To: bind-users at lists.isc.org<mailto:bind-users at lists.isc.org> <bind-users at lists.isc.org><mailto:bind-users at lists.isc.org>
Subject: DS digest type(s)

This email originated from outside of TESLA

Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi,


I've been doing some more reading into DNSSEC and if I understand
correctly, it is allowed to have multiple DS records for one KSK - with
different digest types. Apparently, SHA-1 is deprecated and shouldn't be
used anymore, while SHA-256 is mandatory and has to exist.

That leaves SHA-384, which is optional and I can generate manually with
'dnssec-dsfromkey'. Since I have to ask my registrar to add DS records
to parent zones (.eu in this case), I can just send them both records,
right?


Is it also possible to have dnssec-policy to generate both digest types
as CDS records?


     Regards,

     Danilo


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users


Lep pozdrav / Best regards,
--
Danilo Godec | Sistemska podpora / System Administration
AGENDA d.o.o. | Ul. Pohorskega bataljona 49, Sl-2000 Maribor
E: danilo.godec at agenda.si <mailto:danilo.godec at agenda.si> | T: +386 (0)2 421 61 31
Agenda OpenSystems <https://www.agenda.si/> | Največji slovenski odprtokodni integrator
Red Hat v Sloveniji <http://www.redhat.si/> | Red Hat Premier Business Partner
ElasticBox <http://elasticbox.eu/> | Poslovne rešitve v oblaku
[Agenda d.o.o.] <https://www.agenda.si/>
Izjava o omejitvi odgovornosti / Legal disclaimer statement <https://www.agenda.si/index.php?id=228>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241016/058d4da4/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: y5cf6dEt01sjNTgs.webp
Type: image/webp
Size: 2176 bytes
Desc: y5cf6dEt01sjNTgs.webp
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241016/058d4da4/attachment-0001.webp>

More information about the bind-users mailing list