MIME-Version: 1.0 In-Reply-To: <54B3CFC4.50108@redhat.com> X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Disposition: inline X-RT-Interface: Web References: <54B3CFC4.50108@redhat.com> Content-Type: text/plain; charset="utf-8" Message-ID: Content-Transfer-Encoding: binary X-RT-Original-Encoding: utf-8 RT-Send-CC: X-RT-Encrypt: 0 X-RT-Sign: 0 Content-Length: 1301 On Mon Jan 12 13:44:43 2015, pspacek@redhat.com wrote: > Unfortunately, it seems that BIND currently has very limited set of > crypto settings. => it is by design because BIND follows first RFCs about DNS (this is why MD5 is still present and BIND can't at the same time use a certified crypto and stay DNS compliant...). > It would be really helpful if BIND could accept parameters like > min-rsa-bits => I have a specific answer about this. > and min-dh-bits (or at least specify the allowed DH groups). => DH is used only for a very marginal feature which was never updated (by more secure groups and/or ECDH). > Also, there is no > way to specify algorithms and minimal accepted parameters/key sizes > for HMAC algorithms. => first we have to follow the RFCs, e.g., for truncated HMAC, and HMAC parameters are usually configured so under control. About RSA minimum size: I have a ticket raising it from 512 to 1024 bits which is stalled because it could make system tests too slow on some old hardware and this kind of changes required a major release. More, the last time I did some experiments with a FIPS capable BIND it failed to validate isc.org because the org key had a modulo size of 1023 (<1024) bits. So today I am not so sure it is a good idea to raise the (default) minimum...