[dns-operations] .edu domain algorithm recommendation

Hugo Salgado hsalgado at nic.cl
Mon Aug 16 21:41:22 UTC 2010


On 08/16/2010 05:26 PM, Michael Sinatra wrote:
> On 08/16/10 14:00, Sue True wrote:
>>
>> I wonder what's the algorithm to use to generate keys? We have several
>> top level .edu domains which are ready to get signed, I want to make
>> sure the right algorithm is used, while check some of the singed .edu
>> zones, the algorithms used are different, for example:
>>
>> internet2.edu: 7 RSASHA1-NSEC3-SHA1
>> lsu.edu : 8 RSA/SHA-256
>> penn.edu : 5 RSA/SHA-1
> 
> FTR:
> ucb.edu: 10 RSASHA512
> ucberkeley.edu: 10 RSASHA512 (in the process of migrating)
> berkeley.edu: will be 10 RSASHA512
> 
> 
>> I am thinking to use Algorithm 7 to generate the keys, but on section
>> 2.2 of this draft:
>>
>> http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-registry-fixes-06
>>
>> 7 and 8 are both RECOMMENDED, only 5 is REQUIRED, is it safe to use just
>> algorithm 7, and not 5?

Algo 5 is required for a nameserver implementation, not for a given
zone. As long as you parent, your server software and the resolvers
you care support 7, you can go only with that.

Hugo




More information about the dns-operations mailing list