[Dnssec-deployment] Starting with SHA1?
feela at network.cz
Wed Aug 4 19:12:16 EDT 2010
On 4.8.2010 22:13, Ondrej Filip wrote:
> On 28.7.2010 23:31, Ondřej Surý wrote:
>> On 28.7.2010 21:27, Jakob Schlyter wrote:
>>> On 28 jul 2010, at 10.01, Edward Lewis wrote:
>>>> As an operator, given access to SHA-1 and SHA-2, which would you
>>> If I would start deployment today, I'd pick SHA-2. If I had an
>>> existing zone, I wouldn't rush rolling to SHA-2 very soon.
>> I would also pick SHA-2. Even though I don't think that SHA-1 usage
>> in DNSSEC is endangered by crypto attacks. Being able to create
>> collision and fitting the collision into what you want in the signed
>> DNS RRSET is two entirely different things with different complexity.
> I believe, this article could be interesting for you. It was
> discovered by one Czech colleague. This was exactly the reason we made
> a last minute change from SHA-256 to SHA-512.
And here is the link - http://eprint.iacr.org/2010/430
Thank you Chris and Eric... :-)
More information about the Dnssec-deployment