<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I've been looking at RFC8624 and there
is no mention of SHA-512 - just this:</div>
<div class="moz-cite-prefix"><br>
</div>
<pre class="moz-cite-prefix"> +--------+-----------------+-------------------+-------------------+
| Number | Mnemonics | DNSSEC Delegation | DNSSEC Validation |
+--------+-----------------+-------------------+-------------------+
| 0 | NULL (CDS only) | MUST NOT [*] | MUST NOT [*] |
| 1 | SHA-1 | MUST NOT | MUST |
| 2 | SHA-256 | MUST | MUST |
| 3 | GOST R 34.11-94 | MUST NOT | MAY |
| 4 | SHA-384 | MAY | RECOMMENDED |
+--------+-----------------+-------------------+-------------------+
</pre>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Are there any newer RFCs or guidelines
regarding DNSSEC algorithms?</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"> Danilo</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 16. 10. 24 14:15, Robert Wagner
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BL0PR04MB47399E20BD8907100043AB20BE462@BL0PR04MB4739.namprd04.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
Our preference would be to at least allow SHA-384 and SHA-512
per the CNSA 2.0 requirements:
<a
href="https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF"
id="LPlnkOWA3bfb6ee6-f6b2-eed1-c619-6007d84696ca"
class="OWAAutoLink" moz-do-not-send="true">
CSA_CNSA_2.0_ALGORITHMS_.PDF (defense.gov)</a> </div>
<div id="Signature" class="elementToProof">
<p style="direction: ltr; margin-top: 0px; margin-bottom: 0px;"><span
style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);"><br>
</span></p>
<p style="direction: ltr; margin-top: 0px; margin-bottom: 0px;"><span
style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">My
understanding is this will be the base requirement for all
US Government cryptography.</span></p>
<p style="direction: ltr; margin-top: 0px; margin-bottom: 0px;"><span
style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);"><br>
</span></p>
<p style="direction: ltr; margin-top: 0px; margin-bottom: 0px;"><span
style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">RW</span></p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif"
style="font-size:11pt" color="#000000"><b>From:</b> bind-users
<a class="moz-txt-link-rfc2396E" href="mailto:bind-users-bounces@lists.isc.org"><bind-users-bounces@lists.isc.org></a> on behalf of Danilo
Godec via bind-users <a class="moz-txt-link-rfc2396E" href="mailto:bind-users@lists.isc.org"><bind-users@lists.isc.org></a><br>
<b>Sent:</b> Wednesday, October 16, 2024 8:00 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:bind-users@lists.isc.org"><bind-users@lists.isc.org></a><br>
<b>Subject:</b> DS digest type(s)</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span
style="font-size:11pt;">
<div class="PlainText">This email originated from outside of
TESLA<br>
<br>
Do not click links or open attachments unless you
recognize the sender and know the content is safe.<br>
<br>
Hi,<br>
<br>
<br>
I've been doing some more reading into DNSSEC and if I
understand<br>
correctly, it is allowed to have multiple DS records for
one KSK - with<br>
different digest types. Apparently, SHA-1 is deprecated
and shouldn't be<br>
used anymore, while SHA-256 is mandatory and has to exist.<br>
<br>
That leaves SHA-384, which is optional and I can generate
manually with<br>
'dnssec-dsfromkey'. Since I have to ask my registrar to
add DS records<br>
to parent zones (.eu in this case), I can just send them
both records,<br>
right?<br>
<br>
<br>
Is it also possible to have dnssec-policy to generate both
digest types<br>
as CDS records?<br>
<br>
<br>
Regards,<br>
<br>
Danilo<br>
<br>
<br>
--<br>
Visit <a
href="https://lists.isc.org/mailman/listinfo/bind-users"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid
support subscriptions. Contact us at
<a href="https://www.isc.org/contact/"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.isc.org/contact/</a>
for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a
href="https://lists.isc.org/mailman/listinfo/bind-users"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</div>
</span></font></div>
</blockquote>
<p><br>
</p>
<div class="moz-signature">
<div><br>
Lep pozdrav / Best regards,<br>
--<br>
<table cellpadding="0" cellspacing="0" border="0"
style="background: none; border-width: 0px; border: 0px; margin: 0; padding: 0;">
<tbody>
<tr>
<td valign="top"
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif;">
<span style="font-weight: bold;">Danilo Godec</span> |
Sistemska podpora / System Administration </td>
</tr>
<tr>
<td valign="top"
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif;">
<span style="font-weight: bold; color: #ed1c24">AGENDA
d.o.o.</span> | Ul. Pohorskega bataljona 49, Sl-2000
Maribor </td>
</tr>
<tr>
<td valign="top"
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif;">
<span style="font-weight: bold; color: #ed1c24">E:</span>
<a href="mailto:danilo.godec@agenda.si"
class="moz-txt-link-freetext"> danilo.godec@agenda.si
</a> | <span style="font-weight: bold; color: #ed1c24">T:</span>
+386 (0)2 421 61 31 </td>
</tr>
<tr>
<td valign="top"
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif; padding-top: 12px;">
<a href="https://www.agenda.si/"> Agenda OpenSystems </a>
| Največji slovenski odprtokodni integrator </td>
</tr>
<tr>
<td valign="top"
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif;">
<a href="http://www.redhat.si/"> Red Hat v Sloveniji </a>
| Red Hat Premier Business Partner </td>
</tr>
<tr>
<td valign="top"
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif;">
<a href="http://elasticbox.eu/"> ElasticBox </a> |
Poslovne rešitve v oblaku </td>
</tr>
<tr>
<td valign="top"
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif; padding-top: 22px; padding-bottom: 22px;">
<a style="border: 0" href="https://www.agenda.si/"> <img
alt="Agenda d.o.o." style="border: 0"
src="cid:part1.MgN3Wx37.Zr3vJkb0@agenda.si"> </a> </td>
</tr>
<tr>
<td valign="top"
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif;">
<a href="https://www.agenda.si/index.php?id=228"> Izjava
o omejitvi odgovornosti / Legal disclaimer statement </a>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</body>
</html>