[Dnssec-deployment] Starting with SHA1?

Ondrej Filip feela at network.cz
Wed Aug 4 19:12:16 EDT 2010

On 4.8.2010 22:13, Ondrej Filip wrote:
> On 28.7.2010 23:31, Ondřej Surý wrote:
>> On 28.7.2010 21:27, Jakob Schlyter wrote:
>>> On 28 jul 2010, at 10.01, Edward Lewis wrote:
>>>> As an operator, given access to SHA-1 and SHA-2, which would you
>>>> pick?
>>> If I would start deployment today, I'd pick SHA-2. If I had an
>>> existing zone, I wouldn't rush rolling to SHA-2 very soon.
>> I would also pick SHA-2.  Even though I don't think that SHA-1 usage
>> in DNSSEC is endangered by crypto attacks.  Being able to create
>> collision and fitting the collision into what you want in the signed
>> DNS RRSET is two entirely different things with different complexity.
>> Ondrej
> Hi,
> I believe, this article could be interesting for you. It was
> discovered by one Czech colleague. This was exactly the reason we made
> a last minute change from SHA-256 to SHA-512.

And here is the link - http://eprint.iacr.org/2010/430

Thank you Chris and Eric... :-)

			Ondrej F.

More information about the Dnssec-deployment mailing list