What are good default settings for DNSSEC?

web-hosting dnssec

I use Google Domains and just opened an account with A2 Hosting. I'd like to keep using DNSSEC. A2 Hosting requires me to "Please open a support ticket and provide the following information:

DS Record Digest Digest Type Algorithm Public Key Key Tag Flags"

I see how I can put these into Google, but what are good default settings to request from A2?


Solution 1:

There seems to be some confusion regarding who is which role and needs what information in the question, I'll just try to address the underlying question(s) more generically:

The different parties relevant to your question

  • Signer
    The signer (typically the DNS hosting provider, which may coincidentally be the same entity as the registrar, as many registrars also provide related services) needs to create keys and sign the zone.

  • Registrar
    The registrar needs to get information about the key that is the entry point for signing the zone (KSK/CSK), so that they can add a DS record in the TLD zone telling the world that the zone is signed and what key it is signed with.

The information mentioned in the question, DS Record Digest Digest Type Algorithm Public Key Key Tag Flags, is what the registrar needs to add the above-mentioned DS record. These are directly derived from the KSK/CSK key used by the signer.

DNSSEC key algorithms/parameters

The main thing to consider when creating keys is the DNSSEC algorithm and for some algorithms, where this is variable, also the key length.
If the key creation is handled by some hosting provider, they may not even give you a choice in this, but if they allow you to choose or if you run your own, you need to pick the algorithm.

As with all crypto, the best practice algorithm choice evolves over time, so I will refer to the Algorithm Selection section of rfc8624 (this document is from 2019 and still relevant, consider future documents that will eventually replace this one) as a snapshot for that situation.

Summarizing the Algorithm Selection section of rfc8624, ECDSAP256SHA256 (13) is the current recommendation for DNSSEC keys.
(Out of all the older algorithms, RSASHA256 (8) is the only one that still holds a strong status, but that is also largely considered in the process of slowly being phased out.)

As for DS algorithms (how the DS record is derived from a key), the current recommendation is SHA-256 (2).

Related

dig all txt records
failed to reconnect to your remote session
Route mail from Postfix to SMTP Relay and Back
Definition of finite elements (Ciarlet)
Calculate: $ \lim_{x \to 0 } = x \cdot \sin(\frac{1}{x}) $
When each prime ideal is maximal [duplicate]
No Integer Solutions and Congruences
How to solve this linear congruence $46x\equiv 6\pmod {202}$
Proof Strategy - Without Stokes's Theorem - Calculate $\iint_S \operatorname{curl} \mathbf{F} \cdot\; d\mathbf{S}$ for $\mathbf{F} = yz^2\mathbf{i}$
Proving that $a \mathbb{Z} \cap b\mathbb{Z} = \operatorname{lcm}(a,b)\mathbb Z$ [duplicate]
Order of $GL(n, \mathbb Z_p)$ [duplicate]
Geometric representation of the sum of a Geometric Series