[Dnssec-deployment] Starting with SHA1?

Edward Lewis Ed.Lewis at neustar.biz
Tue Jul 27 10:38:47 EDT 2010


At 14:59 +0100 7/27/10, Chris Thompson wrote:

>I don't know whether it is VeriSign or Educause who have chosen that
>signing algorithm for "edu". And as it still has obscured DNSKEYs,
>they could easily be planning to change it before going live anyway.

I am not questioning the decision made, SHA1 is still a viable hash algorithm.

>Regardless of the arguments about the status of different signing
>algorithms in I-D draft-ietf-dnsext-dnssec-registry-fixes, the fact
>that the root zone uses RSASHA256 has forced the issue here:
>everyone has to support it PDQ now.

I disagree with that line of reasoning - it's possible that your 
cache's local policy does not "recognize" SHA256 and accepts DLV 
attestations.

Yes, general purpose code recently written will support RSA 256, but 
"recently written" also implies "shorter track record of success."

Still, I ask...should conventional wisdom be biased towards SHA-2(56)?
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Spouses, like Internet protocols, lack necessary troubleshooting tools. Sigh.


More information about the Dnssec-deployment mailing list