[dns-operations] (no subject)
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Jun 12 14:41:12 UTC 2023
On Mon, Jun 12, 2023 at 10:37:22AM -0300, daniel majela wrote:
> What is the best algorithm for ksk and zsk?
The BCP algorithm is ECDSAP256SHA256(13). This is both more secure and
more compact than RSA. It is in wide use:
https://stats.dnssec-tools.org/
https://stats.dnssec-tools.org/#/?dnssec_param_tab=0
Today, out of 22,010,850 known signed zones, the number with algorithm
14 KSKs is 9,982,219 or just over 45%.
If you choose NSEC3, set the additional iteration count to 0, and avoid
opt-out unless you're operating a particularly large (10M+ delegations)
zone that is thinly signed. An empty salt is also sensible.
> Is there, after generating the ksk and zsk keys, automatic rollover of keys
> and automatic signature of zones from the point of view that technical
> interaction is no longer necessary for this?
BIND supports automatic zone resigning and also automatic ZSK rollovers.
IIRC BIND also supports KSK rollovers with IIRC prior KSK deactivation
gated on the publication of matching parent DS records for the new KSKs
Don't choose automatic transition based on just a timer, if the parent
DS is not ready stick with the old KSK indefinitely!
> An example:
> Zone ....example.com.br signed!
> Zona....one.example.com.br ( to sign this zone ) I need to copy something
> inside the zone because it is a daughter of the example.com.br zone.
I haven't looked into whether BIND automatically does the right thing
vis. DS records when it serves both sides of a zone cut. Best to check
the documentation, but it would seem like something that *should be* taken
care of in a sufficiently recent release.
--
Viktor.
More information about the dns-operations
mailing list