Re: DS digest type(s)

> On 16 Oct 2024, at 23:00, Danilo Godec via bind-users > wrote: > > Hi, > > > I've been doing some more reading into DNSSEC and if I understand correctly, > it is allowed to have multiple DS records for one KSK - with different digest > types. Apparently, SHA-1 is deprecated and shouldn'

RE: DNSSEC, OpenDNS and www.cdc.gov

Thanks Greg. That is very helpful. Sorry I didn't find that article on my own. Bob From: Greg Choules Sent: Wednesday, October 16, 2024 10:10 AM To: Robert Mankowski Cc: bind-users@lists.isc.org Subject: Re: DNSSEC, OpenDNS and www.cdc.gov Hi Bob. See if this article helps any first, before we

Re: DNSSEC, OpenDNS and www.cdc.gov

Hi Bob. See if this article helps any first, before we get into configs: https://kb.isc.org/docs/the-umbrella-feature-in-detail Cheers, Greg > On 16 Oct 2024, at 14:55, Robert Mankowski > wrote: > > I recently implemented a forward only BIND server for home. I was forwarding > to OpenDNS Fam

DNSSEC, OpenDNS and www.cdc.gov

I recently implemented a forward only BIND server for home. I was forwarding to OpenDNS FamilyShield using TLS and DNSSEC at first, but I was getting a noticeable amount of SERVFAIL responses. I believe it is related to DNSSEC (see delv tests below), but I don't believe it is my configuration be

Re: DS digest type(s)

On 16/10/2024 14:00, Danilo Godec via bind-users wrote: Hi Danilo, I've been doing some more reading into DNSSEC and if I understand correctly, it is allowed to have multiple DS records for one KSK - with different digest types. Apparently, SHA-1 is deprecated and shouldn't be used anymore, w

Re: DS digest type(s)

Correct. The RFC is a bit behind the whole post quantum crypto effort, but I would expect it to get updated with both Hashes and Lattice-based crypto in the upcoming years. This is more of a - 'here's where we will need to go over the next decade' rather than an issue with not following the exis

Re: DS digest type(s)

I've been looking at RFC8624 and there is no mention of SHA-512 - just this: ++-+---+---+ | Number | Mnemonics | DNSSEC Delegation | DNSSEC Validation | ++-+---+---+

Re: DNSSEC algo rollover fails to delete old keys

Can do to provide instructions on how to follow the upcoming post quantum cryptography requirements? CSA_CNSA_2.0_ALGORITHMS_.PDF (defense.gov) It would be exteremely helpful. If the crypto is not ready yet,

Re: DS digest type(s)

Our preference would be to at least allow SHA-384 and SHA-512 per the CNSA 2.0 requirements: CSA_CNSA_2.0_ALGORITHMS_.PDF (defense.gov) My understanding is this will be the base requirement for all US Governm

DS digest type(s)

Hi, I've been doing some more reading into DNSSEC and if I understand correctly, it is allowed to have multiple DS records for one KSK - with different digest types. Apparently, SHA-1 is deprecated and shouldn't be used anymore, while SHA-256 is mandatory and has to exist. That leaves SHA-3

Re: DNSSEC algo rollover fails to delete old keys

If you provide the output of `rndc dnssec -status` it might give a hint why the keys are still published. I suspect that BIND needs to be told that the DS has been withdrawn for the parent zone (assuming you don't have parental-agents set up). For future algorithm rollovers: You can just chan