Correct. The RFC is a bit behind the whole post quantum crypto effort, but I would expect it to get updated with both Hashes and Lattice-based crypto in the upcoming years. This is more of a - 'here's where we will need to go over the next decade' rather than an issue with not following the existing standard. With that in mind, it may be more useful for an experimental release rather than a production one (as DNS clients may not be able to understand the communications).
Hopefully, the cryptographic modules in BIND are flexible enough that adding new hashes or cipher suites is a minor configuration issue rather than an overhaul. RW ________________________________ From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Danilo Godec via bind-users <bind-users@lists.isc.org> Sent: Wednesday, October 16, 2024 8:21 AM To: bind-users@lists.isc.org <bind-users@lists.isc.org> Subject: Re: DS digest type(s) This email originated from outside of TESLA Do not click links or open attachments unless you recognize the sender and know the content is safe. I've been looking at RFC8624 and there is no mention of SHA-512 - just this: +--------+-----------------+-------------------+-------------------+ | Number | Mnemonics | DNSSEC Delegation | DNSSEC Validation | +--------+-----------------+-------------------+-------------------+ | 0 | NULL (CDS only) | MUST NOT [*] | MUST NOT [*] | | 1 | SHA-1 | MUST NOT | MUST | | 2 | SHA-256 | MUST | MUST | | 3 | GOST R 34.11-94 | MUST NOT | MAY | | 4 | SHA-384 | MAY | RECOMMENDED | +--------+-----------------+-------------------+-------------------+ Are there any newer RFCs or guidelines regarding DNSSEC algorithms? Danilo On 16. 10. 24 14:15, Robert Wagner wrote: Our preference would be to at least allow SHA-384 and SHA-512 per the CNSA 2.0 requirements: CSA_CNSA_2.0_ALGORITHMS_.PDF (defense.gov)<https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF> My understanding is this will be the base requirement for all US Government cryptography. RW ________________________________ From: bind-users <bind-users-boun...@lists.isc.org><mailto:bind-users-boun...@lists.isc.org> on behalf of Danilo Godec via bind-users <bind-users@lists.isc.org><mailto:bind-users@lists.isc.org> Sent: Wednesday, October 16, 2024 8:00 AM To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> <bind-users@lists.isc.org><mailto:bind-users@lists.isc.org> Subject: DS digest type(s) This email originated from outside of TESLA Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi, I've been doing some more reading into DNSSEC and if I understand correctly, it is allowed to have multiple DS records for one KSK - with different digest types. Apparently, SHA-1 is deprecated and shouldn't be used anymore, while SHA-256 is mandatory and has to exist. That leaves SHA-384, which is optional and I can generate manually with 'dnssec-dsfromkey'. Since I have to ask my registrar to add DS records to parent zones (.eu in this case), I can just send them both records, right? Is it also possible to have dnssec-policy to generate both digest types as CDS records? Regards, Danilo -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users Lep pozdrav / Best regards, -- Danilo Godec | Sistemska podpora / System Administration AGENDA d.o.o. | Ul. Pohorskega bataljona 49, Sl-2000 Maribor E: danilo.go...@agenda.si <mailto:danilo.go...@agenda.si> | T: +386 (0)2 421 61 31 Agenda OpenSystems <https://www.agenda.si/> | Največji slovenski odprtokodni integrator Red Hat v Sloveniji <http://www.redhat.si/> | Red Hat Premier Business Partner ElasticBox <http://elasticbox.eu/> | Poslovne rešitve v oblaku [Agenda d.o.o.] <https://www.agenda.si/> Izjava o omejitvi odgovornosti / Legal disclaimer statement <https://www.agenda.si/index.php?id=228>
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
