Support for SHA256 in ds-rdata checker
I'm not sure whether this belongs here or in the dns-wg (or somewhere else?). I just updated the ds-rdata of one of our domain objects and realized that the RDNS checker does not support SHA-256, neither for the DS record nor as part of signature algorithm 8 (RSASHA256) ***RDNS: (related to set) INFO: 6199 8 2 03A50B02CC5FCBCC8071AD93212C923E8C399DE64AE7C042442E2DE2F0029592 ; uses a Digest type that is not implemented by this checker. We cannot verify if the chain of trust is intact. You should be conciously using digest types other than SHA1 ***RDNS: (related to ns2.switch.ch) INFO: The signature over DNSKEY is made with algorithm code 8 The checker does not implement this algorithm and can therefore not validate the chain of trust It is assumed that using algoritm type 8 is a conscious choice. SHA256 has been in use for both purposes for a number of years. Are there any plans to support it in the RDNS checker? Regards, Alex -- SWITCH Serving Swiss Universities -------------------------- Alexander Gall, Global LAN Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 15, direct +41 44 268 15 22 alexander.gall@switch.ch, http://www.switch.ch
On 31/07/2012 01:14, Alexander Gall wrote: Dear Alexander,
I'm not sure whether this belongs here or in the dns-wg (or somewhere else?).
I just updated the ds-rdata of one of our domain objects and realized that the RDNS checker does not support SHA-256, neither for the DS record nor as part of signature algorithm 8 (RSASHA256)
***RDNS: (related to set) INFO: 6199 8 2 03A50B02CC5FCBCC8071AD93212C923E8C399DE64AE7C042442E2DE2F0029592 ; uses a Digest type that is not implemented by this checker. We cannot verify if the chain of trust is intact. You should be conciously using digest types other than SHA1
***RDNS: (related to ns2.switch.ch) INFO: The signature over DNSKEY is made with algorithm code 8 The checker does not implement this algorithm and can therefore not validate the chain of trust It is assumed that using algoritm type 8 is a conscious choice.
SHA256 has been in use for both purposes for a number of years. Are there any plans to support it in the RDNS checker?
We are aware of this limitation. Other users have also come across it, and asked us about it. We are actually in the middle of replacing our current delegation checker with the Swedish Registry's DNSCheck, which handles all the current algorithms. We're close to completing the replacement, so please watch out for an announcement very soon. Regards, Anand Buddhdev RIPE NCC
Hello Anand On Tue, 31 Jul 2012 09:31:20 -0700, Anand Buddhdev <anandb@ripe.net> said:
On 31/07/2012 01:14, Alexander Gall wrote: Dear Alexander,
I'm not sure whether this belongs here or in the dns-wg (or somewhere else?).
I just updated the ds-rdata of one of our domain objects and realized that the RDNS checker does not support SHA-256, neither for the DS record nor as part of signature algorithm 8 (RSASHA256)
***RDNS: (related to set) INFO: 6199 8 2 03A50B02CC5FCBCC8071AD93212C923E8C399DE64AE7C042442E2DE2F0029592 ; uses a Digest type that is not implemented by this checker. We cannot verify if the chain of trust is intact. You should be conciously using digest types other than SHA1
***RDNS: (related to ns2.switch.ch) INFO: The signature over DNSKEY is made with algorithm code 8 The checker does not implement this algorithm and can therefore not validate the chain of trust It is assumed that using algoritm type 8 is a conscious choice.
SHA256 has been in use for both purposes for a number of years. Are there any plans to support it in the RDNS checker?
We are aware of this limitation. Other users have also come across it, and asked us about it. We are actually in the middle of replacing our current delegation checker with the Swedish Registry's DNSCheck, which handles all the current algorithms. We're close to completing the replacement, so please watch out for an announcement very soon.
Thanks for the info. This is good news :) Regards, Alex
participants (2)
-
Alexander Gall
-
Anand Buddhdev