Re: [dns-operations] [Non-DoD Source] .ORG still using SHA-1 DNSKEYs

Wed, 05 Feb 2020 08:04:03 -0800 

Have you spoke with Joe Abley about this?  I think he is still the CTO of .org.

-----Original Message-----
From: dns-operations <[email protected]> On Behalf Of Viktor 
Dukhovni
Sent: Tuesday, February 4, 2020 9:04 PM
To: [email protected]
Subject: [Non-DoD Source] [dns-operations] .ORG still using SHA-1 DNSKEYs

All active links contained in this email were disabled.  Please verify the 
identity of the sender, and confirm the authenticity of all links contained 
within the message prior to copying and pasting the address to a Web browser.  




----

Anyone know whom at PIR to nag?  I see that .ORG are still using
RSA-SHA1 DNSKEYs:

    org. IN DS 9795 7 2 
3922b31b6f3a4ea92b19eb7b52120f031fd8e05ff0b03bafcf9f891bfe7ff8e5
    org. IN DS 9795 7 1 364dfab3daf254cab477b5675b10766ddaa24982

The DNSKEYs are (and have been):

      alg | flags | bits |     ~active |  ~inactive
      ----+-------+------+-------------+-----------
        7 |   257 | 2048 |<<2017-10-19 |
        7 |   257 | 2048 |<<2017-10-19 |
      ----+-------+------+-------------+-----------
        7 |   256 | 1024 |  2018-11-17 | 2019-01-10
        7 |   256 | 1024 |  2018-12-09 | 2019-02-09
        7 |   256 | 1024 |  2019-01-10 | 2019-03-10
        7 |   256 | 1024 |  2019-02-09 | 2019-04-09
        7 |   256 | 1024 |  2019-03-10 | 2019-05-10
        7 |   256 | 1024 |  2019-04-09 | 2019-06-09
        7 |   256 | 1024 |  2019-05-10 | 2019-07-09
        7 |   256 | 1024 |  2019-06-09 | 2019-08-09
        7 |   256 | 1024 |  2019-07-09 | 2019-09-10
        7 |   256 | 1024 |  2019-08-09 | 2019-10-11
        7 |   256 | 1024 |  2019-09-10 | 2019-11-10
        7 |   256 | 1024 |  2019-10-11 | 2019-12-09
        7 |   256 | 1024 |  2019-11-10 | 2020-01-09
        7 |   256 | 1024 |  2019-12-09 |
        7 |   256 | 1024 |  2020-01-09 |

Which looks like monthly ZSK rotation, nice!  But, all the keys are
RSA-SHA1, and it is unclear what the second KSK is for (only one
matches the DS RRset, is it some sort of "backup"?).

It would be nice to see these move to RSASHA256 (algorithm 8) with a
1280-bit ZSK.  Or ECDSAP256SHA256 (algorithm 13).  Staying with RSA-SHA1
is no longer a sound choice.

-- 
    Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
Caution-https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to