DNSSEC DSSET & KEYSET
Chris Thompson
cet1 at cam.ac.uk
Thu Jan 28 16:18:45 UTC 2010
On Jan 28 2010, Florian Weimer wrote:
>* prock:
>
>> In a DNSSEC compliant world (I know we're not there yet) we need to
>> give a copy of our DSSET and KEYSET to our parent domain. Please
>> confirm that is an accurate statement.
>
>Parent zone policies vary. Some require DS RRs, some DNSKEY RRs.
>Demanding DNSKEY RRs can prolong the life of signature schemes with
>certain weaknesses (which might be helpful at some point in the
>future).
I take it you refer there to the digest type field in the DS record?
Even if the child provides only a DS using SHA-1, it is of course
possible to recover the DNSKEY record (provided it actually exists!)
and validate it (providing you still trust SHA-1!) and make a DS record
using SHA-256 instead. In fact, that seems to be what ISC do when
they take the IANA ITAR (in which many entries only have digesttype=1)
and massage them for inclusion in dlv.isc.org (where the DLV records
always come in pairs with digesttype=1 and digesttype=2). [Self
registration at dlv.isc.org asks for DNSKEY records in the first
place, of course.]
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list