docs/dnssec/profile.rst

   1 DNSSEC Profile and Support
   2 ==========================
   3
   4 PowerDNS aims to serve unexciting, standards compliant, DNSSEC
   5 information. One goal is to have relevant parts of our output be
   6 identical or equivalent to important fellow-traveller software like
   7 NLNetLabs' NSD.
   8
   9 Particularly, if a PowerDNS secured zone is transferred via AXFR, it
  10 should be able to contain the same records as when that zone was signed
  11 using ``ldns-signzone`` using the same keys and settings.
  12
  13 PowerDNS supports serving pre-signed zones, as well as online ('live')
  14 signed operations. In the last case, Signature Rollover and Key
  15 Maintenance are fully managed by PowerDNS.
  16
  17 .. _dnssec-supported-algos:
  18
  19 Supported Algorithms
  20 --------------------
  21
  22 Supported Algorithms (See the `IANA
  23 website <http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1>`__
  24 for more information):
  25
  26 -  RSASHA1 (algorithm 5, algorithm 7)
  27 -  RSASHA256 (algorithm 8)
  28 -  RSASHA512 (algorithm 10)
  29 -  ECC-GOST (algorithm 12)
  30 -  ECDSA (algorithm 13 and 14)
  31 -  ed25519 (algorithm 15)
  32 -  ed448 (algorithm 16)
  33
  34 For the DS records, these `digest
  35 types <http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1>`__
  36 are supported:
  37
  38 -  SHA-1 (algorithm 1)
  39 -  SHA-256 (algorithm 2)
  40 -  GOST R 34.11-94 (algorithm 3)
  41 -  SHA-384 (algorithm 4)
  42
  43 This corresponds to:
  44
  45 - :rfc:`4033`: DNS Security Introduction and Requirements
  46 - :rfc:`4034`: Resource Records for the DNS Security Extensions, Protocol Modifications for the DNS Security Extensions
  47 - :rfc:`4035`: Protocol Modifications for the DNS Security Extensions
  48 - :rfc:`4509`: Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
  49 - :rfc:`5155`: DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
  50 - :rfc:`5702`: Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
  51 - :rfc:`5933`: Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC
  52 - :rfc:`6605`: Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC
  53 - :rfc:`8080`: Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC
  54
  55 In order to facilitate interoperability with existing technologies,
  56 PowerDNS keys can be imported and exported in industry standard formats.
  57
  58 When using OpenSSL for ECDSA signatures (this is default), starting from
  59 OpenSSL 1.1.0, the algorithm used is resilient against PRNG failure,
  60 while not strictly conforming to :rfc:`6979`.
  61
  62 .. note::
  63   Actual supported algorithms depend on the crypto-libraries
  64   PowerDNS was compiled against. To check the supported DNSSEC algoritms
  65   in your build of PowerDNS, run ``pdnsutil list-algorithms``.