ACSP Suggestion 2020.13: Improve Reverse DNS Security

Suggestion

Author: Anonymous   
Submitted On: 23 July 2020

Description:

SHA-256 keys for xx.in-addr.arpa and ip6.arpa (reverse DNS) zones

Currently, xx.in-addr.arpa reverse DNS zones (e.g. 23.in-addr.arpa) managed by ARIN are signed with key type 5 (RSA/SHA1) and use a SHA-1 hash in the DS record. However, SHA1 is known to be insecure for key signing (https://shattered.io/). ARIN should use SHA-256 hashes for DS records and key type 8 (RSA/SHA256) for DNSSEC keys. All of the above also holds for ip6.arpa zones.

Value to Community: It would make reverse DNS zones more secure. Because subdomains of a reverse DNS delegation (e.g. 2.0.192.in-addr.arpa) depend on the security of parent domains (192.in-addr.arpa) managed by ARIN, this action could only be done by ARIN

Timeframe: Not specified

Status: Open   Updated: 03 August 2020

Tracking Information

ARIN Comment

03 August 2020

Thank you for your suggestion, numbered 2020.13 upon confirmed receipt, asking that we use SHA-256 keys for xx.in-addr.arpa and ip6.arpa (reverse DNS) zones.

Rolling our key signing keys (KSKs) is in our plan and pending a bug fix from our DNSSEC appliance vendor. Once that has been applied, we will start rolling keys using more modern algorithms as you mention in your suggestion. As we are dependent on this fix by our vendor, we hope to complete transition to a more modern algorithm by the end of 2020.