[dns-operations] help with a resolution
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Jan 8 15:05:53 UTC 2020
On Wed, Jan 08, 2020 at 08:11:56PM +0530, Mukund Sivaraman wrote:
> [muks at jurassic ~/tmp-dnssec]$ dnssec-keygen -f KSK example.org
> Generating key pair..................+++++ .............+++++
> Kexample.org.+005+04222
>
> [muks at jurassic ~/tmp-dnssec]$ dnssec-dsfromkey Kexample.org.+005+04222
> example.org. IN DS 4222 5 1 7B83C10E0220CA65139DFFE14F3F24B8D8ACAEA2
> example.org. IN DS 4222 5 2 06B8EB5B92B64B87C75E7B0F589876067E4E31B6F34750DA853FF5D79101D831
Algorithm 5 (which signs with SHA-1) SHOULD NOT be used in new
deployments. The current best-practice choices are algorithm 8 (RSA
with SHA2-256) and algorithm 13 (ECDSA with NIST curve P-256 and
SHA2-256).
Of these two, I'd recommend algorithm 13, because it produces signatures
that are more secure and substantially more compact. Indeed algorithm
13 is now the most popular algorithm among signed domains, having
recently surpassed 8:
https://stats.dnssec-tools.org/#parameter
Algorithm 5 is a very distant 4th.
> Also note that hash algorithm 1 (in the "5 1" RR printed above) stands
> for SHA-1 hash which is weakening in security day by day, so you would
> probably want to add only the "5 2" RR from above, where 2 stands for
> SHA-256. A complete list of these is here:
> https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml
This is wrong. The attacks are not against the digest algorithm that's
hashing the key. With the DS RR digest types there are no collision
issues, and only SHA-1 2nd-preimage resistance matters, which remains
unbroken.
Instead, the attacks are against SHA-1 based *signature* algorithms,
where the key-holder (typically parent zone) signs data that is partly
under the control of potentially hostile others. So the important
thing is avoiding algorithms 5 and 7, NOT avoiding digest type 1.
--
Viktor.
More information about the dns-operations
mailing list