0

I use Google Domains and just opened an account with A2 Hosting. I'd like to keep using DNSSEC. A2 Hosting requires me to "Please open a support ticket and provide the following information:

DS Record Digest Digest Type Algorithm Public Key Key Tag Flags"

I see how I can put these into Google, but what are good default settings to request from A2?

sean.mcgrath
  • 3
  • 2
  • 1
    Who is who in this? The information that you say that A2 Hosting wants sounds like what the registrar would want. Are you sure the instructions you are following are relevant to what you are actually doing? (I assume from the question that Google Domains is the registrar, not A2 Hosting?) – Håkan Lindqvist Feb 22 '21 at 11:46
  • Yes, Google is the registrar and A2 the web host. I agree with your point, but that is a quote from the A2 KnowledgeBase. The intro states that "If you registered your domain with A2 Hosting and use other nameservers that support DNSSEC, we can set up DNSSEC at the registrar level." They want me to provide this information so that they can set things up on their side, and then I will enter it into Google Domains. – sean.mcgrath Feb 22 '21 at 12:45
  • 1
    Does A2 have anything to do with DNS in this case, though? If they are purely the web host, they don't need anything in this regard. – Håkan Lindqvist Feb 22 '21 at 12:48
  • I might be mixing up terms. Google is my domain registrar, but I have to use A2 as my DNS provider as they do the web hosting. Google also mentioned that I therefore need to get DNSSEC information from them. In any case, my main question is whether there are typical/standard values that I should use. – sean.mcgrath Feb 22 '21 at 12:53
  • Ok, I posted my answer. If I understand it correctly, A2 is probably the "signer" in what I describe (assuming they support this) while Google Domains is the "registrar". – Håkan Lindqvist Feb 22 '21 at 13:05
  • 1
    You do not have to use A2 as your DNS provider merely because they host your web site. – Michael Hampton Feb 22 '21 at 17:32
  • Thanks, Michael. Yes, that makes sense. I'll look into whether it is worth switching. – sean.mcgrath Feb 23 '21 at 18:34

1 Answers1

4

There seems to be some confusion regarding who is which role and needs what information in the question, I'll just try to address the underlying question(s) more generically:

The different parties relevant to your question

  • Signer
    The signer (typically the DNS hosting provider, which may coincidentally be the same entity as the registrar, as many registrars also provide related services) needs to create keys and sign the zone.

  • Registrar
    The registrar needs to get information about the key that is the entry point for signing the zone (KSK/CSK), so that they can add a DS record in the TLD zone telling the world that the zone is signed and what key it is signed with.

The information mentioned in the question, DS Record Digest Digest Type Algorithm Public Key Key Tag Flags, is what the registrar needs to add the above-mentioned DS record. These are directly derived from the KSK/CSK key used by the signer.

DNSSEC key algorithms/parameters

The main thing to consider when creating keys is the DNSSEC algorithm and for some algorithms, where this is variable, also the key length.
If the key creation is handled by some hosting provider, they may not even give you a choice in this, but if they allow you to choose or if you run your own, you need to pick the algorithm.

As with all crypto, the best practice algorithm choice evolves over time, so I will refer to the Algorithm Selection section of rfc8624 (this document is from 2019 and still relevant, consider future documents that will eventually replace this one) as a snapshot for that situation.

Summarizing the Algorithm Selection section of rfc8624, ECDSAP256SHA256 (13) is the current recommendation for DNSSEC keys.
(Out of all the older algorithms, RSASHA256 (8) is the only one that still holds a strong status, but that is also largely considered in the process of slowly being phased out.)

As for DS algorithms (how the DS record is derived from a key), the current recommendation is SHA-256 (2).

Community
  • 1
Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • Thank you. That is helpful. I suspect that you are correct in that the instructions are not relevant to what I wanted to do. In any case, you gave the information for what I *thought* I wanted. I was not clear on the definitions for the roles. I'll recheck and either: 1. use your information or 2. do nothing. :-) – sean.mcgrath Feb 22 '21 at 14:37
  • Note the text for ED25519: "It is expected that ED25519 will become the future RECOMMENDED default algorithm once there's enough support for this algorithm in the deployed DNSSEC validators." Support is now [almost as good](https://dnsthought.nlnetlabs.nl/#ed25519) as for [ECDSA-P256](https://dnsthought.nlnetlabs.nl/#ecdsa256) – miken32 Oct 24 '22 at 16:10