Closed diamatrix closed 2 years ago
The not-quite-new RFC says:
it [SHA-1] MUST NOT be used to generate new DS and CDS records
It would be great if you could specify the digest you want generated like "pdnsutil secure-zone example.com sha256 sha384" and it would only create those specified DS record digests. Keeps it flexible.
secure-zone
does not make DSes. show-zone
does.
Short description
Removal of the SHA-1 Digest from PDNS and make SHA-256 the lowest and default digest for DNSSEC
Usecase
The SHA-1 DS is ignored if you have a SHA-256 or SHA-384 DS in the same RRset (according to RFC4509).
ICANN has also requested that administrators stop using SHA-1 for DNSSEC - https://www.icann.org/en/blogs/details/its-time-to-move-away-from-using-sha-1-in-the-dns-24-1-2020-en
Having it displayed in the show-zone means that less knowledgeable people will continue to use it as their DS records when they really should only use SHA-256 and above.
I really do think that you should be steering people away from SHA-1.
Description
Due to the insecurity of SHA-1, the fact that the SHA-1 digest is ignored if SHA-256 is used, and the fact that ICANN has asked administrators to stop using the SHA-1 digest, I think it's time for powerdns to drop support for it and also not display it under the "pdnsutil show-zone" function.
SHA-256 should be the default and lowest digest used for DNSSEC in powerdns.