[db-wg] Support for SHA256 in ds-rdata checker

Hello Anand

On Tue, 31 Jul 2012 09:31:20 -0700, Anand Buddhdev <anandb at ripe.net> said:

> On 31/07/2012 01:14, Alexander Gall wrote:
> Dear Alexander,

>> I'm not sure whether this belongs here or in the dns-wg (or somewhere
>> else?).
>> 
>> I just updated the ds-rdata of one of our domain objects and realized
>> that the RDNS checker does not support SHA-256, neither for the DS
>> record nor as part of signature algorithm 8 (RSASHA256)
>> 
>> ***RDNS:    (related to set) INFO: 6199 8 2
>> 03A50B02CC5FCBCC8071AD93212C923E8C399DE64AE7C042442E2DE2F0029592
>> ; uses a Digest type that is not implemented by this
>> checker. We cannot verify if the chain of trust is intact.
>> You should be conciously using digest types other than SHA1
>> 
>> ***RDNS:    (related to ns2.switch.ch) INFO: The signature over DNSKEY
>> is made with algorithm code 8 The checker does not implement
>> this algorithm and can therefore not validate the chain of
>> trust It is assumed that using algoritm type 8 is a
>> conscious choice.
>> 
>> SHA256 has been in use for both purposes for a number of years.  Are
>> there any plans to support it in the RDNS checker?

> We are aware of this limitation. Other users have also come across it,
> and asked us about it. We are actually in the middle of replacing our
> current delegation checker with the Swedish Registry's DNSCheck, which
> handles all the current algorithms. We're close to completing the
> replacement, so please watch out for an announcement very soon.

Thanks for the info.  This is good news :)

Regards,
Alex