[Dnssec-deployment] DNSSEC algorithms updated for .edu domains

Anthony Iliopoulos ailiop at lsu.edu
Mon Aug 9 17:34:27 EDT 2010


On Mon, Aug 09, 2010 at 02:22:59PM -0700, Michael Sinatra wrote:
> On 08/09/10 14:15, Paul Hoffman wrote:
> >At 2:45 PM -0600 8/9/10, Becky Granger wrote:
> >>Hello all -
> >>
> >>EDUCAUSE and VeriSign have worked together to enable algorithms 8, 10, and 12 for .edu domain DS records. The following is the complete list of supported algorithms for .edu domains:
> >>
> >>3:DSA/SHA1
> >>5:RSA/SHA-1
> >>6:DSA-NSEC3-SHA1
> >>7:RSASHA1-NSEC3-SHA1
> >>8:RSA/SHA-256
> >>10:RSA/SHA-512
> >>12:GOST R 34.10-2001
> >>
> >>Let me know if anyone has questions. :-)
> 
> Woo-hoo!  Thanks, Becky.
> 
> >What is your use case for #12? (No smiley)
> 
> EDU is not a US-only TLD.  There might, in fact, be EDUs in Russia.

As a side note, it's actually rather interesting that educause
chose not to disclose any zone content information (I don't know
if this is some legal requirement or not), by using NSEC3 with the
absolute minimum parameters (no iterations, no salt), i.e. just
enough to prevent zone enumeration.

I'm sure this is a well-thought, "balanced" approach, since the
EDU delegations are not really private information, but it would
be nice to hear the rationale behind the choice.


Regards,
Anthony


More information about the Dnssec-deployment mailing list