Dear Dennis, On Mon, Feb 01, 2021 at 11:21:30AM +0100, Dennis Baaten via Opendnssec-user wrote: > When performing tests using DNSViz.net, the algorithm used for creating the > DS is shown: Digest type / Digest alg. For the record: this is not the same > as the DNSSEC algorithm > (https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xh > tml). > As the DS Digest type is currently set to "1" (which is SHA-1) I would like > to change this in my ODS configuration. However, I cannot find any > documentation on how to change this and which values are supported. RFC5155 > only mentions SHA-1: https://tools.ietf.org/html/rfc5155#section-11. > My guess is that it is related to this section in kasp.xml: > <NSEC3><HASH><Algorithm>1</Algorithm></HASH></NSEC3>. If so, then I'm also > guessing (based on testing other domains using DNSViz) that I can change > this to "2" being SHA-256.
The hash for generating a DS is something different from the hash used in NSEC3 records. A DS record points to a DNSKEY record by hashing it. This needs to be secure, so yes a SHA-1 hash no longer suffices. OpenDNSSEC no longer outputs SHA-1 hashes unless you explicitly request it to do so. Getting a hash as soon as a new KSK is ready is obtained by ods-enforcer key export -z example.com --ds If the KSK is already active you will have to use an additional -e flag. The hashing used for NSEC3 does not need to be so precise. You cannot create a false hash as the NSEC3 records themselves are signed. The only reason for hashing it to avoid easy zone walking (ie. retrieve all names from a zone). You can only make this a bit harder with other hashing algorithms at great expense of all. So basically not worth it and never done. > Last but not least: any thoughts on how to perform this algorithm rollover? Algoritm rollovers are another thing. This is the algorithm used by the KSK itself to sign the DNSKEY set. The answer is simple. Just update the Algorithm of the KSK or ZSK in the kasp.xml and reread this policy file using "ods-enforcer policy import". The next rollover will be an algorithm rollover. \Berry _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
