Skip to content

Option to use the SHA384 delegation signer algorithm through CDS / DNSSEC automation

Personally, I'd like to use ECDSAP384SHA384 (14) with SHA384 (4) algorithm as the delegation signer, which also seems to be able when retrieving the DS list manually through keymgr, e.g.:

  • keymgr example.com ds
example.com. DS 32506 14 1 52510394eec9424ecc5d71bf69dce8ceef6dac21
example.com. DS 32506 14 2 8494db88309cb7dd09fafbf8875e6ca331fbc63860196781256216cbe541e803
example.com. DS 32506 14 4 5a2ffd3123b450c6c5d54de0bfe382e562f1d9dbc06fae4652b803cd633d11705c7b228287237b3eb2527bb89133c1e6

However, when querying for CDS using e.g. dig, it only seems to be ECDSAP384SHA384 (14) with SHA256 (2):

  • dig +noall +answer CDS example.com @127.53.53.53 -p 5353
example.com.            0       IN      CDS     32506 14 2 8494DB88309CB7DD09FAFBF8875E6CA331FBC63860196781256216CB E541E803

All of this is achieved with a very basic configuration, example.com zone file as /etc/knot/zones/example.com, and the rest of the configuration like in this example:

server:
    rundir: "/run/knot"
    user: knot:knot
    listen: [ 127.53.53.53@5353 ]

log:
  - target: syslog
    any: info

policy:
  - id: p384
    algorithm: ecdsap384sha384
    zsk-lifetime: 1d
    ksk-lifetime: 7d
    cds-cdnskey-publish: always

template:
  - id: default
    storage: "/etc/knot/zones/"
    file: "%s.zone"
    dnssec-signing: on
    dnssec-policy: p384

zone:
  - domain: example.com
    template: default

I am therefore suggesting that Knot should have an option similar to the PowerDNS "PUBLISH-CDS"?

-> https://doc.powerdns.com/authoritative/domainmetadata.html#publish-cdnskey-publish-cds

Perhaps a new policy option, such as for example "cds-signature-algorithm", so that either of these two:

policy:
  - id: p384
    algorithm: ecdsap384sha384
    cds-signature-algorithm: sha384
policy:
  - id: p384
    algorithm: ecdsap384sha384
    cds-signature-algorithm: 4

would go out and publish ECDSAP384SHA384 (14) with the SHA384 (4) delegation signer, e.g.:

  • dig +noall +answer CDS example.com @127.53.53.53 -p 5353
example.com.            0       IN      CDS     32506 14 4 5a2ffd3123b450c6c5d54de0bfe382e562f1d9dbc06fae4652b803cd633d11705c7b228287237b3eb2527bb89133c1e6

And if a such option is left unattended (omitted from the configuration), I would personally say that a such "cds-signature-algorithm" option should have dynamic defaults, and e.g. default to 4 (SHA384), when used with ECDSAP384SHA384, however, with ECDSAP256SHA256 or RSASHA256, it can simply default to 2 (SHA256).

... I somehow cannot believe it is intentional, that it is impossible to configure Knot to publish the CDS with signature algorithm 4 (SHA394)?

Some quick grep'ing through the code as well as searching the documentation does not reveal this particular option, with Knot.