On Thu, Jan 09, 2020 at 12:38:05PM +0530, Mukund Sivaraman wrote: > > > Loop's toolchain has had the default algorithms so, which it inherited. > > > There > > > is a branch that changes the defaults, but it won't be merged in the first > > > quarter of this year. > > > > If there is a default, it should promptly change to 8 or 13. > > I will prioritize it.
This work has been merged now in Loop, to match the recommendations of
RFC 8624:
* dnssec-keygen by default creates ECDSAP256SHA256 keys
* dnssec-dsfromkey by default generates DS with SHA-256 and SHA-384 digests
* dnssec-dsfromkey cannot be used to create DS with a SHA-1 digest
* dnssec-keygen -3 argument has been removed (redundant with -a)
* dnssec-dsfromkey -1 and -2 arguments have been removed (redundant with -a)
* Documentation and tests were updated for the above
[muks@jurassic ~/tmp-dnssec]$ dnssec-keygen example.org
Generating key pair.
Kexample.org.+013+21773
[muks@jurassic ~/tmp-dnssec]$ cat Kexample.org.+013+21773.key
; This is a zone-signing key, keyid 21773, for example.org.
; Created: 20200110143300 (Fri Jan 10 20:03:00 2020)
; Publish: 20200110143300 (Fri Jan 10 20:03:00 2020)
; Activate: 20200110143300 (Fri Jan 10 20:03:00 2020)
example.org. IN DNSKEY 256 3 13
X5t7zeDf1PSTfkXbZBXcEJUK0PU15GlNlANqSDt9GsTL68FkA4R2H66D
zaz+Xeqe+wZKJikqcpSeQweDbJ7tEA==
[muks@jurassic ~/tmp-dnssec]$ dnssec-dsfromkey Kexample.org.+013+21773
example.org. IN DS 21773 13 2
86A48213B13F14A92865CFDAB9D0F6536979609729018DA52EED4684D110A95E
example.org. IN DS 21773 13 4
21A134504A1553844B86D01FBB4F8B383BF2924CCC82BE54D7ABD371F45C33FF5E602CA02168C9AB7915B1D14F60A201
[muks@jurassic ~/tmp-dnssec]$
The RSASHA1 and RSASHA1-NSEC3-SHA1 algorithms are still available for
selection during key generation using dnssec-keygen -a. We will wait for
dnsop activity before removing them. Separately, the resolver's
validator continues to support them.
The dist builder has been triggered; packages will appear in the
repositories in a few hours after the platform workers finish their
builds and tests.
It appears that the dnssec-* programs ought to be renamed so that
there's no confusion with BIND's utilities. There's already a bug
ticket. I will make a note on it.
(BTW, thank you for kindly mentioning that the default should be
promptly changed, and not being overly critical as RFC 8624 has been out
for ~7 months now. It is much appreciated.)
Mukund
signature.asc
Description: PGP signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
