Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15925
| From | Evan Hunt <each@isc.org> |
|---|---|
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: rndc valid key types |
| Date | 2020-07-08 00:06 +0000 |
| Message-ID | <mailman.639.1594166775.942.bind-users@lists.isc.org> (permalink) |
| References | <647064616.20200707163237@sloop.net> <20200708000647.GA29947@isc.org> |
On Tue, Jul 07, 2020 at 04:32:37PM -0700, Gregory Sloop wrote: > I've seen reports that only HMAC-MD5 is the only valid key type. That was the case at one time, but hasn't been for years. > Is there any (security) reason/implications to use something "better" > than MD5? MD5 is broken (as is SHA1). In this specific context, a forged rndc message is probably impracticable on any reasonable time scale, and I wouldn't fear for security if I were using them. *But*, they're broken, and crypto people don't like keeping broken things around, so I wouldn't count on them being supported forever. We've already removed MD5 support in the context of DNSSEC keys; TSIG could come next. So, if you want to generate a key and not have to worry about generating another one in a year or two, I would advise against MD5 or SHA1. > Is there any reason not to select the strongest - HMAC-SHA512? No, go ahead. I tend to use sha256, just because it's the default from rndc-confgen. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.
Back to comp.protocols.dns.bind | Previous | Next | Find similar
Re: rndc valid key types Evan Hunt <each@isc.org> - 2020-07-08 00:06 +0000
csiph-web