Our preference would be to at least allow SHA-384 and SHA-512 per the CNSA 2.0
requirements: CSA_CNSA_2.0_ALGORITHMS_.PDF
(defense.gov)<https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF>
My understanding is this will be the base requirement for all US Government
cryptography.
RW
________________________________
From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Danilo Godec
via bind-users <bind-users@lists.isc.org>
Sent: Wednesday, October 16, 2024 8:00 AM
To: bind-users@lists.isc.org <bind-users@lists.isc.org>
Subject: DS digest type(s)
This email originated from outside of TESLA
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
Hi,
I've been doing some more reading into DNSSEC and if I understand
correctly, it is allowed to have multiple DS records for one KSK - with
different digest types. Apparently, SHA-1 is deprecated and shouldn't be
used anymore, while SHA-256 is mandatory and has to exist.
That leaves SHA-384, which is optional and I can generate manually with
'dnssec-dsfromkey'. Since I have to ask my registrar to add DS records
to parent zones (.eu in this case), I can just send them both records,
right?
Is it also possible to have dnssec-policy to generate both digest types
as CDS records?
Regards,
Danilo
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
