search

namecoin / ncdns-nsis

NSIS scripts for ncdns.
https://www.namecoin.org/
GNU General Public License v3.0
3 stars 8 forks source link

Replace dnssec-keygen with memory-safe alternative #82

Closed JeremyRand closed 2 years ago

JeremyRand commented 3 years ago

coredns-keygen looks like it might be a suitable Go-based replacement; it uses miekg/dns.

JeremyRand commented 3 years ago

ncdns-nsis needs to create both a KSK (flags=257) and ZSK (flags=256); coredns-keygen only supports KSK at the moment. We should check with coredns-keygen devs whether they'd accept a PR for ZSK support.

JeremyRand commented 3 years ago

coredns-keygen only supports ECDSAP256SHA256. This is what we currently use, so that's fine, but it would be nice to see if they'd accept a PR for ED25519.

JeremyRand commented 3 years ago

ncdns-nsis needs to create both a KSK (flags=257) and ZSK (flags=256); coredns-keygen only supports KSK at the moment. We should check with coredns-keygen devs whether they'd accept a PR for ZSK support.

Rejected by upstream because KSK/ZSK split is not needed for online signing setups (which includes madns-based setups).

So, seems the correct approach for us is to switch ncdns-nsis to a CSK-based setup, and then use that with coredns-keygen.

JeremyRand commented 3 years ago

coredns-keygen only supports ECDSAP256SHA256. This is what we currently use, so that's fine, but it would be nice to see if they'd accept a PR for ED25519.

Appears that they would accept a PR for this.

JeremyRand commented 2 years ago

Splitting out the ED25519 issue to https://github.com/namecoin/ncdns-nsis/issues/118 , and closing this issue as fixed by #117 .