Bind RNDC Key - what Algorithm?

Started by RamSense, June 15, 2023, 05:22:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 15, 2023, 05:22:35 PM
What is advised to use as Bind - RNDC Key? i just noticed i have HMAC-SHA256

But i read online this advice about what algorithm to use:

Quote5.1 Cryptographic algorithms

The cryptographic algorithms based on SHA-2 (RSA/SHA-256 and RSA/SHA-512) are available in BIND from version 9.6.2. The ECDSA-based algorithms (ECDSA Curve P-256 with SHA-256 and ECDSA Curve P-384 with SHA-384) are available from version 9.9.2. Finally, the EdDSA-based algorithms (Ed25519 and Ed448) are available from version 9.10.7.

RFC 8624 recommends using algorithm 13 (ECDSA Curve P-256 with SHA-256) alongside algorithm 8 (RSA/SHA-256), which was the standard for a long time but is now slowly being phased out in favour of the ECDSA-based algorithms.

Algorithm 10 (RSA/SHA-512), a variant of number 8, has never gained popularity, and its use is now discouraged. Algorithm 14 (ECDSA Curve P-384 with SHA-384) is a stronger version of number 13, but isn't needed yet. However, it is likely that, in due course, algorithm 13 will be succeeded not by algorithm 14 but by an EdDSA-based algorithm (algorithm 15, Ed25519).

Should I select HMAC-SHA384 instead? or otherwise?
Thnx for your help
Deciso DEC850v2
June 16, 2023, 08:02:32 AM #1
There may be a few missing, but it has never been very noisy around this part when we had MD5 as only option for many years. If you update your internal Bind server at home it might not matter much. Sending this information over the Internet or in a company network/DMZ it might be better to stick with either RSA/SHA-256 and RSA/SHA-512 as options we currently have.

If you can figure out how to set the ECDSA ones on the config we can add them in the plugin by raising a GitHub issue.


Thanks,
Franco
June 16, 2023, 10:48:32 AM #2 Last Edit: December 17, 2023, 12:34:49 PM by RamSense
I found some instructions here: https://delaat.net/setup/

QuoteThe location and naming structure used for the zone files is:

    The master zone files: edit those to change records, etc.
        /usr/local/var/named/example.net.zone
    The keys:
        /usr/local/var/named/keys/
    Bind can automatically sign and will produce intermediate files in the same directory as the zone files.

    mkdir /usr/local/var/named/keys

Then we need to once generate the key for each zone file on the master DNS server. That can be done with the following commands:

    dnssec-keygen -3 -a ECDSAP256SHA256 -K /usr/local/var/named/keys/ example.net
    dnssec-keygen -3 -a ECDSAP256SHA256 -f KSK -K /usr/local/var/named/keys/ example.net

Enable DNSSEC in named.conf by adding the following configuration directives inside options{ }:

    bbedit  /usr/local/etc/named.conf

in the main options add:

key-directory "/usr/local/var/named/keys";

in each of the to be signed signed zones add:

    dnssec-policy default;
    inline-signing yes;

Restart bind to sign the zones and load them in master and slaves:

-generating the keys did work (although i think that opnsense bind uses another directory to store its keys).
-the file "/usr/local/etc/named.conf" in opnsense is "/usr/local/etc/namedb/named.conf" (?)
- but i do not know where to find the zones:
in each of the to be signed signed zones add:

    dnssec-policy default;
    inline-signing yes;

Deciso DEC850v2
Print
Go Up Pages1
User actions