ACSP Suggestion 2020.13: Improve Reverse DNS Security
Submitted On: 23 July 2020
SHA-256 keys for xx.in-addr.arpa and ip6.arpa (reverse DNS) zones
Currently, xx.in-addr.arpa reverse DNS zones (e.g. 23.in-addr.arpa) managed by ARIN are signed with key type 5 (RSA/SHA1) and use a SHA-1 hash in the DS record. However, SHA1 is known to be insecure for key signing (https://shattered.io/). ARIN should use SHA-256 hashes for DS records and key type 8 (RSA/SHA256) for DNSSEC keys. All of the above also holds for ip6.arpa zones.
Value to Community: It would make reverse DNS zones more secure. Because subdomains of a reverse DNS delegation (e.g. 2.0.192.in-addr.arpa) depend on the security of parent domains (192.in-addr.arpa) managed by ARIN, this action could only be done by ARIN
Timeframe: Not specified
Status: Closed Updated: 29 July 2021
03 August 2020
Thank you for your suggestion, numbered 2020.13 upon confirmed receipt, asking that we use SHA-256 keys for xx.in-addr.arpa and ip6.arpa (reverse DNS) zones.
Rolling our key signing keys (KSKs) is in our plan and pending a bug fix from our DNSSEC appliance vendor. Once that has been applied, we will start rolling keys using more modern algorithms as you mention in your suggestion. As we are dependent on this fix by our vendor, we hope to complete transition to a more modern algorithm by the end of 2020.
29 July 2021
Thank you for your suggestion, numbered 2020.13 on confirmed receipt, asking that we use SHA-256 keys for xx.in-addr.arpa and ip6.arpa (reverse DNS) zones. We have rolled our key signing keys (KSKs) and zone signing keys (ZSKs) to a stronger algorithm (RSA/SHA256, algorithm 8) per your request and guidance from RFC 8624. Additionally, we no longer publish DS records using digest type 1 (SHA-1), instead only publishing digest type 2 (SHA-256), per updated recommendations from RFC 8624.
Because this work is completed, we are closing this suggestion. Thank you for participating in the ARIN Consultation and Suggestion Process.