[Dnssec-deployment] Starting with SHA1?

Paul Hoffman paul.hoffman at vpnc.org
Wed Aug 4 19:27:17 EDT 2010


At 1:12 AM +0200 8/5/10, Ondrej Filip wrote:
> > I believe, this article could be interesting for you. It was
>> discovered by one Czech colleague. This was exactly the reason we made
>> a last minute change from SHA-256 to SHA-512.
>
>And here is the link - http://eprint.iacr.org/2010/430

Maybe you misread the paper. It says "Our attack reduces the collision search, from the generic bound of 2^(n/2) to 2^(n/2-k/2) number of hash calls, where hashing is done over messages of length 2^k blocks."
It is unlikely (actually, impossible) that any of your DNS records will be 2^256 bits long.

--Paul Hoffman, Director
--VPN Consortium


More information about the Dnssec-deployment mailing list