search for: ecdsap256sha256

On 2/12/19 10:55 PM, Alice Wonder wrote: > DNSSEC keys do not expire. Signatures do expire. How long a signature > is good for depends upon the software generating the signature, some > lets you specify. ldns I believe defaults to 60 days but I am not sure. > > The keys are in DNSSKEY records that are signed by your Key Signing > Key and must be resigning before the signature

...Signing Key. I see you are using algorithm 7 - I would recommend switching to either algorithm 13 or at least to 8. Algorithm 7 uses a SHA1 hash. See https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-04 That's a draft but soon will be an update to the standard. Algorithm 13 (ECDSAP256SHA256) results in much smaller keys and signatures and is equivalent to about RSA-3072 in strength, and it uses a SHA-256 hash. However note that changing algorithms will result in validation failure for few days unless done carefully. > > If I do not have to generate the keys every time the...

...adjusted limit on open files from 524288 to 1048576 Jul 21 23:49:14 dc-cloud named[637]: found 4 CPUs, using 4 worker threads Jul 21 23:49:14 dc-cloud named[637]: using 4 UDP listeners per interface Jul 21 23:49:14 dc-cloud named[637]: DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448 Jul 21 23:49:14 dc-cloud named[637]: DS algorithms: SHA-1 SHA-256 SHA-384 Jul 21 23:49:14 dc-cloud named[637]: HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512 Jul 21 23:49:14 dc-cloud named[637]: TKEY mode 2 support (Diffie-Hellma...