22 Čec
2021
22 Čec
'21
16:55
Hi all
I am currently running these two policies:
```
policy:
- id: edecc
algorithm: ed25519
nsec3: on
- id: rsa
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 2048
nsec3: on
```
I tried enabling both with this command, but to no effect:
```
dnssec-policy: [ edecc, rsa ]
```
Is there a way to do both at the same time in one zone?
I am currently running knot 3.0.8
Cheers,
Stefan
22 Čec
22 Čec
19:56
Hi Stefan,
I'm sorry, it's not possible to configure more DNSSEC policies (more
algorithms) per one zone at the same time.
Maybe, with the manual key management and more configuration files when
generating keys via keymgr, it could work somehow. But I'm not sure and
probably it's not what you are looking for :-)
Daniel
On 22. 07. 21 16:55, Schindler, Stefan wrote:
Hi all
I am currently running these two policies:
```
policy:
- id: edecc
algorithm: ed25519
nsec3: on
- id: rsa
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 2048
nsec3: on
```
I tried enabling both with this command, but to no effect:
```
dnssec-policy: [ edecc, rsa ]
```
Is there a way to do both at the same time in one zone?
I am currently running knot 3.0.8
Cheers,
Stefan
23 Čec
23 Čec
16:13
Hi Daniel,
Would it be possible to activate more than one algorithm in a policy?
If not, how hard would it be to include that functionality?
Because for some reason a lot of ISP resolvers support RSA only while I
would like to future-proof my zone with ED25519 at the same time.
Cheers,
Stefan
Am Do., 22. Juli 2021 um 19:56 Uhr schrieb Daniel Salzman <
daniel.salzman(a)nic.cz>gt;:
Hi Stefan,
I'm sorry, it's not possible to configure more DNSSEC policies (more
algorithms) per one zone at the same time.
Maybe, with the manual key management and more configuration files when
generating keys via keymgr, it could work somehow. But I'm not sure and
probably it's not what you are looking for :-)
Daniel
On 22. 07. 21 16:55, Schindler, Stefan wrote:
Hi all
I am currently running these two policies:
```
policy:
- id: edecc
algorithm: ed25519
nsec3: on
- id: rsa
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 2048
nsec3: on
```
I tried enabling both with this command, but to no effect:
```
dnssec-policy: [ edecc, rsa ]
```
Is there a way to do both at the same time in one zone?
I am currently running knot 3.0.8
Cheers,
Stefan
16:28
Hello.
On 23/07/2021 16.13, Schindler, Stefan wrote:
Because for some reason a lot of ISP resolvers support
RSA only while
I would like to future-proof my zone with ED25519 at the same time.
As the current DNSSEC standards go, I think it's normally not worth
using two algorithms at once on a single zone (except temporarily when
changing from one to another). Validators will succeed when validation
with *any* of the algorithms succeeds. Therefore adding a stronger algo
won't make the result stronger (attackers can choose which one to
compromise) - at least until the weaker algo gets (commonly) considered
as insecure.
Weirdly enough, DNSSEC validators do not do that even with short RSAs -
one problem is that standardized (non-)support mechanism is independent
of key length. That's OK for the new fixed-length algos but not so much
for RSA.
--Vladimir | knot-resolver.cz
17:57
Hi Vladimir
I tried switching to the ED25519 algorithm, but then home users could no
longer resolve anything in the zone because the resolvers are too
old/incomplete.
So, to stay resolvable I was hoping to work around that with two
algorithms.
Partially hoping with the zone using the newer algorithm over time more
resolvers would be upgraded.
Like with TLS 1.3 more clients will support it if most servers have it
already enabled by default.
Cheers,
Stefan
Am Fr., 23. Juli 2021 um 16:28 Uhr schrieb Vladimír Čunát <
vladimir.cunat(a)nic.cz>gt;:
Hello.
On 23/07/2021 16.13, Schindler, Stefan wrote:
Because for some reason a lot of ISP resolvers
support RSA only while
I would like to future-proof my zone with ED25519 at the same time.
As the current DNSSEC standards go, I think it's normally not worth
using two algorithms at once on a single zone (except temporarily when
changing from one to another). Validators will succeed when validation
with *any* of the algorithms succeeds. Therefore adding a stronger algo
won't make the result stronger (attackers can choose which one to
compromise) - at least until the weaker algo gets (commonly) considered
as insecure.
Weirdly enough, DNSSEC validators do not do that even with short RSAs -
one problem is that standardized (non-)support mechanism is independent
of key length. That's OK for the new fixed-length algos but not so much
for RSA.
--Vladimir | knot-resolver.cz
18:20
On 23/07/2021 17.57, Schindler, Stefan wrote:
I tried switching to the ED25519 algorithm, but then
home users could
no longer resolve anything in the zone because the resolvers are too
old/incomplete.
So, to stay resolvable I was hoping to work around that with two
algorithms.
You'll have to try, I guess. A zone using only algorithms unsupported
by a validator is defined not to lead to failure. Just to get downgraded
to insecure status. So I find it hard to assume anything about such
broken clients (well... I hope your zone was not really broken in some way).
3 Srp
3 Srp
16:08
Hi Stefan,
we understand your motivation for having two dnssec policies but it would complicate the
dnssec code,
which already is quite complex, and we don't want to introduce new bugs. I'm
sorry.
But with manual key management it's possible to sign the zone using more algorithms.
Also as explained before, using more algorithms doesn't result in higher security.
Regards,
Daniel
On 7/23/21 4:13 PM, Schindler, Stefan wrote:
Hi Daniel,
Would it be possible to activate more than one algorithm in a policy?
If not, how hard would it be to include that functionality?
Because for some reason a lot of ISP resolvers support RSA only while I would like to
future-proof my zone with ED25519 at the same time.
Cheers,
Stefan
Am Do., 22. Juli 2021 um 19:56 Uhr schrieb Daniel Salzman <daniel.salzman(a)nic.cz
<mailto:daniel.salzman@nic.cz>>:
Hi Stefan,
I'm sorry, it's not possible to configure more DNSSEC policies (more
algorithms) per one zone at the same time.
Maybe, with the manual key management and more configuration files when
generating keys via keymgr, it could work somehow. But I'm not sure and
probably it's not what you are looking for :-)
Daniel
On 22. 07. 21 16:55, Schindler, Stefan wrote:
Hi all
I am currently running these two policies:
```
policy:
- id: edecc
algorithm: ed25519
nsec3: on
- id: rsa
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 2048
nsec3: on
```
I tried enabling both with this command, but to no effect:
```
dnssec-policy: [ edecc, rsa ]
```
Is there a way to do both at the same time in one zone?
I am currently running knot 3.0.8
Cheers,
Stefan
1206
days inactive
1218
days old
6 comments
3 participants
participants (3)
-
Daniel Salzman -
Schindler, Stefan -
Vladimír Čunát