[Opendnssec-develop] algorithm support

roy at nominet.org.uk roy at nominet.org.uk
Wed Jul 1 07:48:32 UTC 2009


Rickard Bondesson wrote on 07/01/2009 09:31:46 AM:

> > Hi,
> >
> > the previous discussion raised a question for me, which has
> > been answered, but I have a bit of a cache miss. Did we want
> > RSA/MD5 support. (because ldns does not have that, and i'm
> > not going to add it for 1.6)
>
> I believe that we said that we could ignore MD5, since it is NOT
> RECOMMENDED. Are there any cases where you want to deploy DNSSEC
> with RSA/MD5 and not RSA/SHA1? Or must use MD5 since you can not use
SHA1?

No.

> This discussion was raised since we talked about using the build-in
> digesting functions in ldns. Thus getting less overhead when doing
> digesting (PKCS#11 adds complexity). And most (???) HSMs do the
> digesting in its library, thus no acceleration. The second point was
> if the HSM do not support a particular digesting function, like
> SHA256 in the SCA6K (on Solaris this is added by another support
> library, but not if you use e.g. Ubuntu). This is if DNSSEC is
> expanded with new algorithms in the future.
>
> Did we get a concensus that we should use ldns for hashing? If so
> then we should add a task to the Pivotal Tracker.

+1 for using ldns for hashing

Roy




More information about the Opendnssec-develop mailing list