[Opendnssec-develop] algorithm support

Rickard Bondesson rickard.bondesson at iis.se
Wed Jul 1 07:31:46 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Hi,
> 
> the previous discussion raised a question for me, which has 
> been answered, but I have a bit of a cache miss. Did we want 
> RSA/MD5 support. (because ldns does not have that, and i'm 
> not going to add it for 1.6)

I believe that we said that we could ignore MD5, since it is NOT RECOMMENDED. Are there any cases where you want to deploy DNSSEC with RSA/MD5 and not RSA/SHA1? Or must use MD5 since you can not use SHA1?

This discussion was raised since we talked about using the build-in digesting functions in ldns. Thus getting less overhead when doing digesting (PKCS#11 adds complexity). And most (???) HSMs do the digesting in its library, thus no acceleration. The second point was if the HSM do not support a particular digesting function, like SHA256 in the SCA6K (on Solaris this is added by another support library, but not if you use e.g. Ubuntu). This is if DNSSEC is expanded with new algorithms in the future.

Did we get a concensus that we should use ldns for hashing? If so then we should add a task to the Pivotal Tracker.

// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSksQ4uCjgaNTdVjaAQi4HggAkscl64VN7UKIE7Nk2fslyhd87JyNi41q
BVAi4PNu/MYjjgGv5CcLGvXzMfN5ihQXcWz4buU5m0CkwB5AvPhpqGoDlvjXd2qt
e5zDKRwS7ZaRMpMbCZySYwL/00K0I8a+T+G3Mk1yjv6d2rHJEJv78qigPwGx6LcN
VzZbfB3lAFezq09lQsBIdBSiLxTNSeRS8+pXiR/Mmi3piUzMz7WWRw1gdjRP3UBi
3fEOJX6zVSOaKJsOBSPa38ZyvHfbZCRYIo0M2spUQSZHWWETYZpyYimoaZNrBiG+
FiGPt/ZN0/WXNeGOVR7UxkkCW1Z6HoOdkuWi8DHL+saCvezKcGJk1w==
=zkDc
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list