ACSP Suggestion 2020.13: Improve Reverse DNS Security
Submitted On: 23 July 2020
SHA-256 keys for xx.in-addr.arpa and ip6.arpa (reverse DNS) zones
Currently, xx.in-addr.arpa reverse DNS zones (e.g. 23.in-addr.arpa) managed by ARIN are signed with key type 5 (RSA/SHA1) and use a SHA-1 hash in the DS record. However, SHA1 is known to be insecure for key signing (https://shattered.io/). ARIN should use SHA-256 hashes for DS records and key type 8 (RSA/SHA256) for DNSSEC keys. All of the above also holds for ip6.arpa zones.
Value to Community: It would make reverse DNS zones more secure. Because subdomains of a reverse DNS delegation (e.g. 2.0.192.in-addr.arpa) depend on the security of parent domains (192.in-addr.arpa) managed by ARIN, this action could only be done by ARIN
Timeframe: Not specified
Status: Open Updated: 03 August 2020
03 August 2020
Thank you for your suggestion, numbered 2020.13 upon confirmed receipt, asking that we use SHA-256 keys for xx.in-addr.arpa and ip6.arpa (reverse DNS) zones.
Rolling our key signing keys (KSKs) is in our plan and pending a bug fix from our DNSSEC appliance vendor. Once that has been applied, we will start rolling keys using more modern algorithms as you mention in your suggestion. As we are dependent on this fix by our vendor, we hope to complete transition to a more modern algorithm by the end of 2020.