[db-wg] Support for SHA256 in ds-rdata checker

On 31/07/2012 01:14, Alexander Gall wrote:

Dear Alexander,

> I'm not sure whether this belongs here or in the dns-wg (or somewhere
> else?).
> 
> I just updated the ds-rdata of one of our domain objects and realized
> that the RDNS checker does not support SHA-256, neither for the DS
> record nor as part of signature algorithm 8 (RSASHA256)
> 
> ***RDNS:    (related to set) INFO: 6199 8 2
>             03A50B02CC5FCBCC8071AD93212C923E8C399DE64AE7C042442E2DE2F0029592
>             ; uses a Digest type that is not implemented by this
>             checker. We cannot verify if the chain of trust is intact.
>             You should be conciously using digest types other than SHA1
> 
> ***RDNS:    (related to ns2.switch.ch) INFO: The signature over DNSKEY
>             is made with algorithm code 8 The checker does not implement
>             this algorithm and can therefore not validate the chain of
>             trust It is assumed that using algoritm type 8 is a
>             conscious choice.
> 
> SHA256 has been in use for both purposes for a number of years.  Are
> there any plans to support it in the RDNS checker?

We are aware of this limitation. Other users have also come across it,
and asked us about it. We are actually in the middle of replacing our
current delegation checker with the Swedish Registry's DNSCheck, which
handles all the current algorithms. We're close to completing the
replacement, so please watch out for an announcement very soon.

Regards,

Anand Buddhdev
RIPE NCC