[ARIN-Suggestions] Response to ACSP 2020.13: Improve Reverse DNS Security

ARIN info at arin.net
Mon Aug 3 09:51:32 EDT 2020

On 3 August we issued our response to ACSP 2020.13: Improve Reverse DNS

Thank you for your suggestion, numbered 2020.13 upon confirmed receipt,
asking that we use SHA-256 keys for xx.in-addr.arpa and ip6.arpa
(reverse DNS) zones.

Rolling our key signing keys (KSKs) is in our plan and pending a bug fix
from our DNSSEC appliance vendor. Once that has been applied, we will
start rolling keys using more modern algorithms as you mention in your
suggestion. As we are dependent on this fix by our vendor, we hope to
complete transition to a more modern algorithm by the end of 2020.

The full text of the suggestion is available below and at:



SHA-256 keys for xx.in-addr.arpa and ip6.arpa (reverse DNS) zones

Currently, xx.in-addr.arpa reverse DNS zones (e.g. 23.in-addr.arpa)
managed by ARIN are signed with key type 5 (RSA/SHA1) and use a SHA-1
hash in the DS record. However, SHA1 is known to be insecure for key
signing (https://shattered.io/ ). ARIN should use SHA-256 hashes for DS
records and key type 8 (RSA/SHA256) for DNSSEC keys. All of the above
also holds for ip6.arpa zones.

Value to Community: It would make reverse DNS zones more secure. Because
subdomains of a reverse DNS delegation (e.g. 2.0.192.in-addr.arpa)
depend on the security of parent domains (192.in-addr.arpa) managed by
ARIN, this action could only be done by ARIN

Timeframe: Not specified


American Registry for Internet Numbers (ARIN)

More information about the arin-suggestions mailing list