[dns-operations] .edu domain algorithm recommendation

Sue True bloomingtonian at gmail.com
Tue Aug 17 15:40:21 UTC 2010

One of our top level .edu already signed with 7 and have DS loaded to 
educause, based on the suggestions from the list, I'll go with 8 for the 
rest zones. And for easy maintenance, I want to change the zone that 
currently using 7 to 8, here are the steps:

1. generate 3 new keys using 8, so the zone will load six keys:
    ksk-7 zsk-act-7 zsk-pre-7 ksk-8 zsk-act-8 zsk-pre-8

2. sign the zone with two ksk and two active zsk:
    dnssec-signzone -g -a -H 10 -3 ffee -k ksk-7 -k ksk-8 my.edu zsk-act-7 zsk-act-8

3. load DS-8 to educause

4. TTL is 3600, will wait two days and delete DS-7 from educause

5. wait(how long?) to delete ksk-7 zsk-act-7 zsk-pre-7 from zone

6. sign with ksk-8 and zsk-act-8 only

Will the above work?

On the other hand, is there a way to make the zone unseure and start over 
from plain text zone file without messing with two types of Algo? How to 
go back to unsigned state from signed? I'm thinking to delete current DS-7 
from educause, wait TTL of DS, load plain zone instead of singed zone, but 
afraid it will cause SERVFAIL.


On Tue, 17 Aug 2010, Rose, Scott W. wrote:

> On Aug 16, 2010, at 5:00 PM, Sue True wrote:
>> I wonder what's the algorithm to use to generate keys? We have several top
>> level .edu domains which are ready to get signed, I want to make sure the
>> right algorithm is used, while check some of the singed .edu zones, the
>> algorithms used are different, for example:
>> internet2.edu: 7 RSASHA1-NSEC3-SHA1
>> lsu.edu      : 8 RSA/SHA-256
>> penn.edu     : 5 RSA/SHA-1
>> I am thinking to use Algorithm 7 to generate the keys, but on section 2.2
>> of this draft:
>> http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-registry-fixes-06
>> 7 and 8 are both RECOMMENDED, only 5 is REQUIRED, is it safe to use just
>> algorithm 7, and not 5?
>> The Quickstart guide for .gov Zone seems to think that it's okay to use 7
>> alone.
> draft-registry-fixes is primarily aimed at implementors, not deployments, so don't take its keywords as gospel, only as a guide of what to expect in implementations.
> Algo 5 & 7 are the same, one just signals the use of NSEC3 (code 7) instead of NSEC, so it you want to use RSA/SHA-1 and NSEC3, it's 7, otherwise 5.  So it really depends on how you feel about the risk of zone enumeration.
> RSA/SHA-256 is relatively new, so not a lot of validators understand it yet.  It's considered superior (NIST recommends it over RSA/SHA-1 for PKI), but there is a lot of older code out there that doesn't understand it. To those resolvers, your zone would be provably insecure - just like traditional DNS.
> FWIW, .gov still uses RSA/SHA-1 for compatibility, but new DNSSEC zones could use RSA/SHA-256 (it's easier) - there isn't enough validation to really justify starting with an older algorithm.  So use either 8 or 7 (if you want NSEC3).
> Scott
>> Thanks!
>> Sue
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> ===================================
> Scott Rose
> scottr at nist.gov
> +1 301-975-8439
> Google Voice: +1 571-249-3671
> http://www.dnsops.gov/
> ===================================
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list