Information
When Zone Signing Keys (ZSK) or Key Signing Keys (KSK) are generated there are several secure DNSSEC digital signature algorithms that are recommended. The algorithms are listed below with the standard DNSSEC algorithm number followed by the common name, and then the BIND 9 mnemonic name used by dnssec-keygen.
- 8 RSA/SHA-256 RSASHA256
- 10 RSA/SHA-512 RSASHA512
- 13 ECDSA/SHA-256ECDSAP256SHA256
- 14 ECDSA/SHA-384ECDSAP384SHA384
- 15 Ed25519ED25519
Rationale:
A secure public key algorithm along with a secure hash algorithm, are part of the foundation for a secure digital secure. Weaknesses in older public key algorithms continue to develop, and it is important to use a recommended algorithm that is expected to be secure for the near future.
Solution
To remediate a weak key, perform the following:
Generate a new key to replace the weak key using dnssec-keygen and one of the recommended algorithms. Examples commands are shown below.
# dnssec-keygen -a RSASHA256 -b 2048 example.com
# dnssec-keygen -a ECDSAP384SHA384 cisecurity.org
Implement a rollover period to phase out the weak key and replace it with the newly generated key.
Once the key is fully deleted from active use, remove the file.
Default Value:
The default algorithm is RSASHA1.