Open ralphdolmans opened 7 years ago
References:
R. Chandramouli and S. Rose, “Secure Domain Name System (DNS) Deployment Guide,” National Institute of Standards and Technology, NIST SP 800-81-2, 2013.
E. B. Barker and Q. H. Dang, “Recommendation for Key Management Part 3: Application-Specific Key Management Guidance,” National Institute of Standards and Technology, NIST SP 800-57 Pt3 Rev 1, 2015.
See also https://tools.ietf.org/html/rfc8624
@gthess does the interface to unbound have these details available?
IIRC, no; you would have to parse the returned RR data. Something like that happens for the TLSA record at https://github.com/internetstandards/Internet.nl/blob/b9ec5339df851265ee0c289409fb0356b6323fe9/checks/tasks/__init__.py#L79 but I guess you would have to do it in https://github.com/internetstandards/Internet.nl/blob/b9ec5339df851265ee0c289409fb0356b6323fe9/checks/tasks/dnssec.py#L324 for the dnssec test for DS and DNSKEY.
@gthess: thanks. Is there a library which can parse this data? For example ldns?
You only need a couple of numbers out of that. Based on the default wire (bytes) output of Unbound and for example https://datatracker.ietf.org/doc/html/rfc4034#section-5.1 for DS you know that the third byte is the algorithm. From https://datatracker.ietf.org/doc/html/rfc4034#section-2.1 for DNSKEY you know that the fourth byte is the algorithm.
Test DNSSEC chain for SHA1 usage for DS and DNSKEY. Also test for 512-bit RSA KSK/ZSK. Also see: https://twitter.com/VDukhovni/status/978077604711411713