[dns-operations] .edu domain algorithm recommendation
Rose, Scott W.
scott.rose at nist.gov
Tue Aug 17 11:17:10 UTC 2010
On Aug 16, 2010, at 5:00 PM, Sue True wrote:
> I wonder what's the algorithm to use to generate keys? We have several top
> level .edu domains which are ready to get signed, I want to make sure the
> right algorithm is used, while check some of the singed .edu zones, the
> algorithms used are different, for example:
> internet2.edu: 7 RSASHA1-NSEC3-SHA1
> lsu.edu : 8 RSA/SHA-256
> penn.edu : 5 RSA/SHA-1
> I am thinking to use Algorithm 7 to generate the keys, but on section 2.2
> of this draft:
> 7 and 8 are both RECOMMENDED, only 5 is REQUIRED, is it safe to use just
> algorithm 7, and not 5?
> The Quickstart guide for .gov Zone seems to think that it's okay to use 7
draft-registry-fixes is primarily aimed at implementors, not deployments, so don't take its keywords as gospel, only as a guide of what to expect in implementations.
Algo 5 & 7 are the same, one just signals the use of NSEC3 (code 7) instead of NSEC, so it you want to use RSA/SHA-1 and NSEC3, it's 7, otherwise 5. So it really depends on how you feel about the risk of zone enumeration.
RSA/SHA-256 is relatively new, so not a lot of validators understand it yet. It's considered superior (NIST recommends it over RSA/SHA-1 for PKI), but there is a lot of older code out there that doesn't understand it. To those resolvers, your zone would be provably insecure - just like traditional DNS.
FWIW, .gov still uses RSA/SHA-1 for compatibility, but new DNSSEC zones could use RSA/SHA-256 (it's easier) - there isn't enough validation to really justify starting with an older algorithm. So use either 8 or 7 (if you want NSEC3).
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
scottr at nist.gov
Google Voice: +1 571-249-3671
More information about the dns-operations