On Jan 28 2010, Florian Weimer wrote:
* prock:
In a DNSSEC compliant world (I know we're not there yet) we need to
give a copy of our DSSET and KEYSET to our parent domain. Please
confirm that is an accurate statement.
Parent zone policies vary. Some require DS RRs, some DNSKEY RRs.
Demanding DNSKEY RRs can prolong the life of signature schemes with
certain weaknesses (which might be helpful at some point in the
future).
I take it you refer there to the digest type field in the DS record?
Even if the child provides only a DS using SHA-1, it is of course
possible to recover the DNSKEY record (provided it actually exists!)
and validate it (providing you still trust SHA-1!) and make a DS record
using SHA-256 instead. In fact, that seems to be what ISC do when
they take the IANA ITAR (in which many entries only have digesttype=1)
and massage them for inclusion in dlv.isc.org (where the DLV records
always come in pairs with digesttype=1 and digesttype=2). [Self
registration at dlv.isc.org asks for DNSKEY records in the first
place, of course.]
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
