[dns-operations] help with a resolution

Mukund Sivaraman muks at mukund.org
Fri Jan 10 14:39:20 UTC 2020


On Thu, Jan 09, 2020 at 12:38:05PM +0530, Mukund Sivaraman wrote:
> > > Loop's toolchain has had the default algorithms so, which it inherited. There
> > > is a branch that changes the defaults, but it won't be merged in the first
> > > quarter of this year.
> > 
> > If there is a default, it should promptly change to 8 or 13.
> 
> I will prioritize it.

This work has been merged now in Loop, to match the recommendations of
RFC 8624:

* dnssec-keygen by default creates ECDSAP256SHA256 keys
* dnssec-dsfromkey by default generates DS with SHA-256 and SHA-384 digests
* dnssec-dsfromkey cannot be used to create DS with a SHA-1 digest
* dnssec-keygen -3 argument has been removed (redundant with -a)
* dnssec-dsfromkey -1 and -2 arguments have been removed (redundant with -a)
* Documentation and tests were updated for the above

[muks at jurassic ~/tmp-dnssec]$ dnssec-keygen example.org
Generating key pair.
Kexample.org.+013+21773
[muks at jurassic ~/tmp-dnssec]$ cat Kexample.org.+013+21773.key 
; This is a zone-signing key, keyid 21773, for example.org.
; Created: 20200110143300 (Fri Jan 10 20:03:00 2020)
; Publish: 20200110143300 (Fri Jan 10 20:03:00 2020)
; Activate: 20200110143300 (Fri Jan 10 20:03:00 2020)
example.org. IN DNSKEY 256 3 13 X5t7zeDf1PSTfkXbZBXcEJUK0PU15GlNlANqSDt9GsTL68FkA4R2H66D zaz+Xeqe+wZKJikqcpSeQweDbJ7tEA==
[muks at jurassic ~/tmp-dnssec]$ dnssec-dsfromkey Kexample.org.+013+21773
example.org. IN DS 21773 13 2 86A48213B13F14A92865CFDAB9D0F6536979609729018DA52EED4684D110A95E
example.org. IN DS 21773 13 4 21A134504A1553844B86D01FBB4F8B383BF2924CCC82BE54D7ABD371F45C33FF5E602CA02168C9AB7915B1D14F60A201
[muks at jurassic ~/tmp-dnssec]$ 

The RSASHA1 and RSASHA1-NSEC3-SHA1 algorithms are still available for
selection during key generation using dnssec-keygen -a. We will wait for
dnsop activity before removing them. Separately, the resolver's
validator continues to support them.

The dist builder has been triggered; packages will appear in the
repositories in a few hours after the platform workers finish their
builds and tests.

It appears that the dnssec-* programs ought to be renamed so that
there's no confusion with BIND's utilities. There's already a bug
ticket. I will make a note on it.

(BTW, thank you for kindly mentioning that the default should be
promptly changed, and not being overly critical as RFC 8624 has been out
for ~7 months now. It is much appreciated.)

       	      	   Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200110/6673b8dd/attachment.sig>


More information about the dns-operations mailing list