[dns-operations] .ORG still using SHA-1 DNSKEYs

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Feb 5 02:03:55 UTC 2020


Anyone know whom at PIR to nag?  I see that .ORG are still using
RSA-SHA1 DNSKEYs:

    org. IN DS 9795 7 2 3922b31b6f3a4ea92b19eb7b52120f031fd8e05ff0b03bafcf9f891bfe7ff8e5
    org. IN DS 9795 7 1 364dfab3daf254cab477b5675b10766ddaa24982

The DNSKEYs are (and have been):

      alg | flags | bits |     ~active |  ~inactive
      ----+-------+------+-------------+-----------
        7 |   257 | 2048 |<<2017-10-19 |
        7 |   257 | 2048 |<<2017-10-19 |
      ----+-------+------+-------------+-----------
        7 |   256 | 1024 |  2018-11-17 | 2019-01-10
        7 |   256 | 1024 |  2018-12-09 | 2019-02-09
        7 |   256 | 1024 |  2019-01-10 | 2019-03-10
        7 |   256 | 1024 |  2019-02-09 | 2019-04-09
        7 |   256 | 1024 |  2019-03-10 | 2019-05-10
        7 |   256 | 1024 |  2019-04-09 | 2019-06-09
        7 |   256 | 1024 |  2019-05-10 | 2019-07-09
        7 |   256 | 1024 |  2019-06-09 | 2019-08-09
        7 |   256 | 1024 |  2019-07-09 | 2019-09-10
        7 |   256 | 1024 |  2019-08-09 | 2019-10-11
        7 |   256 | 1024 |  2019-09-10 | 2019-11-10
        7 |   256 | 1024 |  2019-10-11 | 2019-12-09
        7 |   256 | 1024 |  2019-11-10 | 2020-01-09
        7 |   256 | 1024 |  2019-12-09 |
        7 |   256 | 1024 |  2020-01-09 |

Which looks like monthly ZSK rotation, nice!  But, all the keys are
RSA-SHA1, and it is unclear what the second KSK is for (only one
matches the DS RRset, is it some sort of "backup"?).

It would be nice to see these move to RSASHA256 (algorithm 8) with a
1280-bit ZSK.  Or ECDSAP256SHA256 (algorithm 13).  Staying with RSA-SHA1
is no longer a sound choice.

-- 
    Viktor.


More information about the dns-operations mailing list