[dnssec-deployment] what to hand your parent

Ólafur Guðmundsson ogud at ogud.com
Wed Sep 20 11:02:03 EDT 2006


The DNSEXT working group has standardized DS with RSA256, and
multiple implementations support it already.

The WG decided to defer the specification of
RSA + <stronger hash> until later day when there is more guidance on
which HASH to use.

Because the DS is long lived,  it was the most vulnerable point in DNSSEC.

RRSIG's are "short" lived thus they are not as vulnerable.
Furthermore due to the structured format of the data signed there is
limited ability for attackers to put the data of their choice along with
the random data required to forge data to yield signature that matches valid
signature. RRSIG's are more resilient than the
underlying HASH algorithm.

         Olafur

At 08:30 20/09/2006, Steve Crocker wrote:
>Where do we stand on transition to hash algorithms stronger than
>SHA1?  I am hearing pressure to move beyond SHA1.
>
>Steve
>
>
>Steve Crocker
>steve at shinkuro.com
>
>Try Shinkuro's collaboration technology.  Visit www.shinkuro.com.  I
>am steve!shinkuro.com.
>
>
>On Sep 20, 2006, at 2:45 AM, Jakob Schlyter wrote:
>
>>what about other constraints?
>>
>>for the .SE keyman interface, we have the following requirements
>>for keys that will be published using DS:
>>
>>- a key MUST be a zone key (RFC4034 section 2.1.1)
>>- a key MUST have protocol == 3 (RFC4034 section 2.1.2)
>>- a key MUST NOT use a reserved algorithm (RFC4034 section 2.1.3,
>>i.e. 0 & 255 are not possible)
>>- a key MUST be marked as a Secure Entry Point (RFC4034 section
>>2.1.1 and RFC 3757)
>>
>>- at least one key in the keyset SHOULD use algorithm RSA/SHA1
>>- a key SHOULD NOT use algorithm RSA/MD5
>>- a key SHOULD NOT use an unknown algorithm
>>- a key SHOULD NOT have bit 0-6 or bit 8-14 of the flag field set
>>
>>does the list think these are resonable requirements?
>>
>>         jakob
>>
>>
>>#############################################################
>>This message is sent to you because you are subscribed to
>>  the mailing list <dnssec-deployment at shinkuro.com>.
>>To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
>>A public archive is available here: <http://mail.shinkuro.com:8100/ 
>>Lists/dnssec-deployment/>
>>and older material is at
>><http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
>
>
>#############################################################
>This message is sent to you because you are subscribed to
>  the mailing list <dnssec-deployment at shinkuro.com>.
>To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
>A public archive is available here: 
><http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
>and older material is at
><http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>




More information about the Dnssec-deployment mailing list