[dns-operations] .edu domain algorithm recommendation

Anthony Iliopoulos ailiop at lsu.edu
Mon Aug 16 21:23:45 UTC 2010

On Mon, Aug 16, 2010 at 05:00:11PM -0400, Sue True wrote:
> I wonder what's the algorithm to use to generate keys? We have
> several top level .edu domains which are ready to get signed, I want
> to make sure the right algorithm is used, while check some of the
> singed .edu zones, the algorithms used are different, for example:
> internet2.edu: 7 RSASHA1-NSEC3-SHA1
> lsu.edu      : 8 RSA/SHA-256
> penn.edu     : 5 RSA/SHA-1
> I am thinking to use Algorithm 7 to generate the keys, but on
> section 2.2 of this draft:
> http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-registry-fixes-06
> 7 and 8 are both RECOMMENDED, only 5 is REQUIRED, is it safe to use
> just algorithm 7, and not 5?
> The Quickstart guide for .gov Zone seems to think that it's okay to
> use 7 alone.

Algorithm 7 is just an alias for 5, the only difference between the identifiers
being the NSEC3 compatibility signaling. If you do not plan to use NSEC3 you
could possibly use RSA-SHA1 (5), otherwise you should go with RSA-SHA1-NSEC3 (7).

Other options to consider, are the specific parameters of NSEC3 (iterations,
salt length), whether you will have a split KSK/ZSK, and the RSA key sizes.

Apart from that, there is SHA256/512 for DNSKEY/RRSIG records, along with
their corresponding algorithm identifiers, should you choose to use a stronger
hash function (which is generally a suggested practice).


More information about the dns-operations mailing list