[dns-operations] [Non-DoD Source] .ORG still using SHA-1 DNSKEYs

Stephenson, Ryan M CIV DISA IE (USA) ryan.m.stephenson2.civ at mail.mil
Wed Feb 5 15:38:36 UTC 2020


Have you spoke with Joe Abley about this?  I think he is still the CTO of .org.

-----Original Message-----
From: dns-operations <dns-operations-bounces at dns-oarc.net> On Behalf Of Viktor Dukhovni
Sent: Tuesday, February 4, 2020 9:04 PM
To: dns-operations at dns-oarc.net
Subject: [Non-DoD Source] [dns-operations] .ORG still using SHA-1 DNSKEYs

All active links contained in this email were disabled.  Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.  




----

Anyone know whom at PIR to nag?  I see that .ORG are still using
RSA-SHA1 DNSKEYs:

    org. IN DS 9795 7 2 3922b31b6f3a4ea92b19eb7b52120f031fd8e05ff0b03bafcf9f891bfe7ff8e5
    org. IN DS 9795 7 1 364dfab3daf254cab477b5675b10766ddaa24982

The DNSKEYs are (and have been):

      alg | flags | bits |     ~active |  ~inactive
      ----+-------+------+-------------+-----------
        7 |   257 | 2048 |<<2017-10-19 |
        7 |   257 | 2048 |<<2017-10-19 |
      ----+-------+------+-------------+-----------
        7 |   256 | 1024 |  2018-11-17 | 2019-01-10
        7 |   256 | 1024 |  2018-12-09 | 2019-02-09
        7 |   256 | 1024 |  2019-01-10 | 2019-03-10
        7 |   256 | 1024 |  2019-02-09 | 2019-04-09
        7 |   256 | 1024 |  2019-03-10 | 2019-05-10
        7 |   256 | 1024 |  2019-04-09 | 2019-06-09
        7 |   256 | 1024 |  2019-05-10 | 2019-07-09
        7 |   256 | 1024 |  2019-06-09 | 2019-08-09
        7 |   256 | 1024 |  2019-07-09 | 2019-09-10
        7 |   256 | 1024 |  2019-08-09 | 2019-10-11
        7 |   256 | 1024 |  2019-09-10 | 2019-11-10
        7 |   256 | 1024 |  2019-10-11 | 2019-12-09
        7 |   256 | 1024 |  2019-11-10 | 2020-01-09
        7 |   256 | 1024 |  2019-12-09 |
        7 |   256 | 1024 |  2020-01-09 |

Which looks like monthly ZSK rotation, nice!  But, all the keys are
RSA-SHA1, and it is unclear what the second KSK is for (only one
matches the DS RRset, is it some sort of "backup"?).

It would be nice to see these move to RSASHA256 (algorithm 8) with a
1280-bit ZSK.  Or ECDSAP256SHA256 (algorithm 13).  Staying with RSA-SHA1
is no longer a sound choice.

-- 
    Viktor.
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
Caution-https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200205/58fb227c/attachment.bin>


More information about the dns-operations mailing list