DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3 Weeks Ago
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 46
Default [/!\] DNSSEC : dont use anymore SHA-1! [/!\]

Hi, all.

In 2020/01/17, the APNIC wrote an article about "SHA-1 prefix collisions and DNSSEC".

If you manage yourself your(s) DNS zones with DNSSEC, and use SHA-1, change absolutly your config parameters and regenerate all yours KSK and ZSK keys.

Segun the RFC 8624, the recommandations are:

=> for the DNSKey algorithms:
- not less than RSASHA256, with 2048 bit keys.
- or ECDSAP256SHA256
- the better is ED25519 or ideally ED448

=> for the DS and CDS algorithms:
- SHA-256
- or ideally SHA-384

source
Reply With Quote
Reply

Tags
collision, dns, dnssec, sha1

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
There's No Protection In High Ports Anymore, Son. If Indeed There Ever Was. J65nko News 6 19th February 2013 01:54 AM
upgrade all ports while i sleep, dont bug me xmorg FreeBSD Ports and Packages 3 23rd October 2011 03:39 PM
Can't passwd on all accounts anymore ck2323 FreeBSD General 1 7th October 2009 03:28 AM
Printer dont take rights mururoa FreeBSD General 3 5th October 2009 12:54 PM
sendmail dont boot dejabu18 FreeBSD Ports and Packages 0 8th October 2008 02:07 PM


All times are GMT. The time now is 04:02 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick