[db-wg] Support for SHA256 in ds-rdata checker
- Next message (by thread): [db-wg] New delegation checking software
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alexander Gall
gall at switch.ch
Thu Aug 2 08:57:15 CEST 2012
Hello Anand On Tue, 31 Jul 2012 09:31:20 -0700, Anand Buddhdev <anandb at ripe.net> said: > On 31/07/2012 01:14, Alexander Gall wrote: > Dear Alexander, >> I'm not sure whether this belongs here or in the dns-wg (or somewhere >> else?). >> >> I just updated the ds-rdata of one of our domain objects and realized >> that the RDNS checker does not support SHA-256, neither for the DS >> record nor as part of signature algorithm 8 (RSASHA256) >> >> ***RDNS: (related to set) INFO: 6199 8 2 >> 03A50B02CC5FCBCC8071AD93212C923E8C399DE64AE7C042442E2DE2F0029592 >> ; uses a Digest type that is not implemented by this >> checker. We cannot verify if the chain of trust is intact. >> You should be conciously using digest types other than SHA1 >> >> ***RDNS: (related to ns2.switch.ch) INFO: The signature over DNSKEY >> is made with algorithm code 8 The checker does not implement >> this algorithm and can therefore not validate the chain of >> trust It is assumed that using algoritm type 8 is a >> conscious choice. >> >> SHA256 has been in use for both purposes for a number of years. Are >> there any plans to support it in the RDNS checker? > We are aware of this limitation. Other users have also come across it, > and asked us about it. We are actually in the middle of replacing our > current delegation checker with the Swedish Registry's DNSCheck, which > handles all the current algorithms. We're close to completing the > replacement, so please watch out for an announcement very soon. Thanks for the info. This is good news :) Regards, Alex
- Next message (by thread): [db-wg] New delegation checking software
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]