View Single Post
  #1   (View Single Post)  
Old 24th January 2020
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 66
Default [/!\] DNSSEC : dont use anymore SHA-1! [/!\]

Hi, all.

In 2020/01/17, the APNIC wrote an article about "SHA-1 prefix collisions and DNSSEC".

If you manage yourself your(s) DNS zones with DNSSEC, and use SHA-1, change absolutly your config parameters and regenerate all yours KSK and ZSK keys.

Segun the RFC 8624, the recommandations are:

=> for the DNSKey algorithms:
- not less than RSASHA256, with 2048 bit keys.
- or ECDSAP256SHA256
- the better is ED25519 or ideally ED448

=> for the DS and CDS algorithms:
- SHA-256
- or ideally SHA-384

source
Reply With Quote