[Opendnssec-user] Change DS algorithm type

Dennis Baaten dennis at baaten.com
Tue Feb 2 19:07:55 UTC 2021

Hi Berry,

> -----Oorspronkelijk bericht-----
> Van: (Berry) A.W. van Halderen <berry at nlnetlabs.nl>
> Verzonden: dinsdag 2 februari 2021 00:26
> Aan: dennis at baaten.com
> CC: Opendnssec-user at lists.opendnssec.org
> Onderwerp: Re: [Opendnssec-user] Change DS algorithm type
> Dear Dennis,
> On Mon, Feb 01, 2021 at 11:21:30AM +0100, Dennis Baaten via Opendnssec-
> user wrote:
> > When performing tests using DNSViz.net, the algorithm used for creating
> the
> > DS is shown: Digest type / Digest alg. For the record: this is not the
> > as the DNSSEC algorithm
> > (https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-
> numbers.xh
> > tml).
> > As the DS Digest type is currently set to "1" (which is SHA-1) I would
> > to change this in my ODS configuration. However, I cannot find any
> > documentation on how to change this and which values are supported.
> RFC5155
> > only mentions SHA-1: https://tools.ietf.org/html/rfc5155#section-11.
> > My guess is that it is related to this section in kasp.xml:
> > <NSEC3><HASH><Algorithm>1</Algorithm></HASH></NSEC3>. If so, then
> I'm also
> > guessing (based on testing other domains using DNSViz) that I can change
> > this to "2" being SHA-256.
> The hash for generating a DS is something different from the hash used in
> NSEC3 records.  A DS record points to a DNSKEY record by hashing it.
> This needs to be secure, so yes a SHA-1 hash no longer suffices.
> OpenDNSSEC no longer outputs SHA-1 hashes unless you explicitly request it
> to do so.  Getting a hash as soon as a new KSK is ready is obtained by
>   ods-enforcer key export -z example.com --ds
> If the KSK is already active you will have to use an additional -e flag.

Thnx for explaining. So it is not the <NSEC3> section in kasp.xml. However,
it is still unclear to me how to change the hashing algorithm used for the
DS record. I don't see anything for that in the ODS config files. I'm also
not aware of forcing the use of SHA-1 since you state that ODS only does
this when explicitly requested. If I export the DS using " ods-enforcer key
export --zone baaten.com --keystate active --keytype ksk --ds" the output
states "active KSK DS record (SHA256)" and the exported hash is 64 hex
characters long, which is the correct length (a SHA-1 hash would be 40 hex
characters long). 

Since I'm using TransIP as a hosting provider, I have to submit the public
key of my KSK in the TransIP control panel which is then submitted to the
parent zone. This is documented here
ruikt-beveiligen-dnssec/) in Dutch. There is no option to also submit the DS
hash from the ods-enforcer export command. 

> The hashing used for NSEC3 does not need to be so precise.  You cannot
> create a false hash as the NSEC3 records themselves are signed.  The
> only reason for hashing it to avoid easy zone walking (ie. retrieve all
> names from a zone).  You can only make this a bit harder with other
> hashing algorithms at great expense of all.  So basically not worth it
> and never done.
> > Last but not least: any thoughts on how to perform this algorithm
> Algoritm rollovers are another thing.  This is the algorithm used by the
> itself to sign the DNSKEY set.  The answer is simple.  Just update the
> Algorithm of the KSK or ZSK in the kasp.xml and reread this policy file
> using "ods-enforcer policy import".  The next rollover will be an
> rollover.

Nice that this is supported in ODS. Makes it easy.

> \Berry

More information about the Opendnssec-user mailing list