Open ralphdolmans opened 7 years ago
mdavids
commented
6 years ago References:
R. Chandramouli and S. Rose, “Secure Domain Name System (DNS) Deployment Guide,” National Institute of Standards and Technology, NIST SP 800-81-2, 2013.
E. B. Barker and Q. H. Dang, “Recommendation for Key Management Part 3: Application-Specific Key Management Guidance,” National Institute of Standards and Technology, NIST SP 800-57 Pt3 Rev 1, 2015.
baknu
commented
3 years ago See also https://tools.ietf.org/html/rfc8624
sinteur
commented
2 years ago @gthess does the interface to unbound have these details available?
gthess
commented
2 years ago IIRC, no; you would have to parse the returned RR data. Something like that happens for the TLSA record at https://github.com/internetstandards/Internet.nl/blob/b9ec5339df851265ee0c289409fb0356b6323fe9/checks/tasks/__init__.py#L79 but I guess you would have to do it in https://github.com/internetstandards/Internet.nl/blob/b9ec5339df851265ee0c289409fb0356b6323fe9/checks/tasks/dnssec.py#L324 for the dnssec test for DS and DNSKEY.
baknu
commented
2 years ago @gthess: thanks. Is there a library which can parse this data? For example ldns?
gthess
commented
2 years ago You only need a couple of numbers out of that. Based on the default wire (bytes) output of Unbound and for example https://datatracker.ietf.org/doc/html/rfc4034#section-5.1 for DS you know that the third byte is the algorithm. From https://datatracker.ietf.org/doc/html/rfc4034#section-2.1 for DNSKEY you know that the fourth byte is the algorithm.
Test DNSSEC chain for SHA1 usage for DS and DNSKEY. Also test for 512-bit RSA KSK/ZSK. Also see: https://twitter.com/VDukhovni/status/978077604711411713