[dns-operations] .edu domain algorithm recommendation

Rose, Scott W. scott.rose at nist.gov
Tue Aug 17 16:24:38 UTC 2010 

Unfortunately it's not that easy.  See draft-ietf-dnsop-rfc4641bis-04 (http://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc4641bis/) Section 4.1.5., it basically involves adding the RRSIG's first, then the keys.  

It would be easier (if you can accept being seen as "insecure" by validators for a bit) to remove the DS RR and wait until you see it removed from the .edu zone.  Then wait the TTL value of the DS or your DNSKEY RR (whichever is greater), and resign the zone with the new algorithm and upload the new DS RR.  

The risk comes that someone might have loaded your current KSK as a trust anchor - you have no way of knowing, but chances are pretty slim.  For those, the zone will appear bogus once it is resigned.  Otherwise, it appears unsigned for a while until the new DS RR appears in the .edu zone.

Those that are getting signed for the first time can go with algorithm 8 right off the bat.  

Scott


On Aug 17, 2010, at 11:40 AM, Sue True wrote:

> 
> One of our top level .edu already signed with 7 and have DS loaded to 
> educause, based on the suggestions from the list, I'll go with 8 for the 
> rest zones. And for easy maintenance, I want to change the zone that 
> currently using 7 to 8, here are the steps:
> 
> 1. generate 3 new keys using 8, so the zone will load six keys:
>    ksk-7 zsk-act-7 zsk-pre-7 ksk-8 zsk-act-8 zsk-pre-8
> 
> 2. sign the zone with two ksk and two active zsk:
>    dnssec-signzone -g -a -H 10 -3 ffee -k ksk-7 -k ksk-8 my.edu zsk-act-7 zsk-act-8
> 
> 3. load DS-8 to educause
> 
> 4. TTL is 3600, will wait two days and delete DS-7 from educause
> 
> 5. wait(how long?) to delete ksk-7 zsk-act-7 zsk-pre-7 from zone
> 
> 6. sign with ksk-8 and zsk-act-8 only
> 
> Will the above work?
> 
> On the other hand, is there a way to make the zone unseure and start over 
> from plain text zone file without messing with two types of Algo? How to 
> go back to unsigned state from signed? I'm thinking to delete current DS-7 
> from educause, wait TTL of DS, load plain zone instead of singed zone, but 
> afraid it will cause SERVFAIL.
> 
> 
> Thanks!
> Sue
> 
> On Tue, 17 Aug 2010, Rose, Scott W. wrote:
> 
>> On Aug 16, 2010, at 5:00 PM, Sue True wrote:
>> 
>>> 
>>> I wonder what's the algorithm to use to generate keys? We have several top
>>> level .edu domains which are ready to get signed, I want to make sure the
>>> right algorithm is used, while check some of the singed .edu zones, the
>>> algorithms used are different, for example:
>>> 
>>> internet2.edu: 7 RSASHA1-NSEC3-SHA1
>>> lsu.edu      : 8 RSA/SHA-256
>>> penn.edu     : 5 RSA/SHA-1
>>> 
>>> I am thinking to use Algorithm 7 to generate the keys, but on section 2.2
>>> of this draft:
>>> 
>>> http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-registry-fixes-06
>>> 
>>> 7 and 8 are both RECOMMENDED, only 5 is REQUIRED, is it safe to use just
>>> algorithm 7, and not 5?
>>> 
>>> The Quickstart guide for .gov Zone seems to think that it's okay to use 7
>>> alone.
>>> 
>> 
>> draft-registry-fixes is primarily aimed at implementors, not deployments, so don't take its keywords as gospel, only as a guide of what to expect in implementations.
>> 
>> Algo 5 & 7 are the same, one just signals the use of NSEC3 (code 7) instead of NSEC, so it you want to use RSA/SHA-1 and NSEC3, it's 7, otherwise 5.  So it really depends on how you feel about the risk of zone enumeration.
>> 
>> RSA/SHA-256 is relatively new, so not a lot of validators understand it yet.  It's considered superior (NIST recommends it over RSA/SHA-1 for PKI), but there is a lot of older code out there that doesn't understand it. To those resolvers, your zone would be provably insecure - just like traditional DNS.
>> 
>> FWIW, .gov still uses RSA/SHA-1 for compatibility, but new DNSSEC zones could use RSA/SHA-256 (it's easier) - there isn't enough validation to really justify starting with an older algorithm.  So use either 8 or 7 (if you want NSEC3).
>> 
>> Scott
>> 
>> 
>> 
>> 
>> 
>>> 
>>> Thanks!
>>> 
>>> Sue
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> 
>> ===================================
>> Scott Rose
>> NIST
>> scottr at nist.gov
>> +1 301-975-8439
>> Google Voice: +1 571-249-3671
>> http://www.dnsops.gov/
>> ===================================
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> 

===================================
Scott Rose
NIST
scottr at nist.gov
+1 301-975-8439
Google Voice: +1 571-249-3671
http://www.dnsops.gov/
===================================

More information about the dns-operations mailing list