[dns-operations] .edu domain algorithm recommendation

Rose, Scott W. scott.rose at nist.gov
Tue Aug 17 11:17:10 UTC 2010

On Aug 16, 2010, at 5:00 PM, Sue True wrote:

> I wonder what's the algorithm to use to generate keys? We have several top 
> level .edu domains which are ready to get signed, I want to make sure the 
> right algorithm is used, while check some of the singed .edu zones, the 
> algorithms used are different, for example:
> internet2.edu: 7 RSASHA1-NSEC3-SHA1
> lsu.edu      : 8 RSA/SHA-256
> penn.edu     : 5 RSA/SHA-1
> I am thinking to use Algorithm 7 to generate the keys, but on section 2.2 
> of this draft:
> http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-registry-fixes-06
> 7 and 8 are both RECOMMENDED, only 5 is REQUIRED, is it safe to use just 
> algorithm 7, and not 5?
> The Quickstart guide for .gov Zone seems to think that it's okay to use 7 
> alone.

draft-registry-fixes is primarily aimed at implementors, not deployments, so don't take its keywords as gospel, only as a guide of what to expect in implementations.

Algo 5 & 7 are the same, one just signals the use of NSEC3 (code 7) instead of NSEC, so it you want to use RSA/SHA-1 and NSEC3, it's 7, otherwise 5.  So it really depends on how you feel about the risk of zone enumeration.

RSA/SHA-256 is relatively new, so not a lot of validators understand it yet.  It's considered superior (NIST recommends it over RSA/SHA-1 for PKI), but there is a lot of older code out there that doesn't understand it. To those resolvers, your zone would be provably insecure - just like traditional DNS.  

FWIW, .gov still uses RSA/SHA-1 for compatibility, but new DNSSEC zones could use RSA/SHA-256 (it's easier) - there isn't enough validation to really justify starting with an older algorithm.  So use either 8 or 7 (if you want NSEC3).


> Thanks!
> Sue
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Scott Rose
scottr at nist.gov
+1 301-975-8439
Google Voice: +1 571-249-3671

More information about the dns-operations mailing list