[Dnssec-deployment] Starting with SHA1?
Ed.Lewis at neustar.biz
Tue Jul 27 10:38:47 EDT 2010
At 14:59 +0100 7/27/10, Chris Thompson wrote:
>I don't know whether it is VeriSign or Educause who have chosen that
>signing algorithm for "edu". And as it still has obscured DNSKEYs,
>they could easily be planning to change it before going live anyway.
I am not questioning the decision made, SHA1 is still a viable hash algorithm.
>Regardless of the arguments about the status of different signing
>algorithms in I-D draft-ietf-dnsext-dnssec-registry-fixes, the fact
>that the root zone uses RSASHA256 has forced the issue here:
>everyone has to support it PDQ now.
I disagree with that line of reasoning - it's possible that your
cache's local policy does not "recognize" SHA256 and accepts DLV
Yes, general purpose code recently written will support RSA 256, but
"recently written" also implies "shorter track record of success."
Still, I ask...should conventional wisdom be biased towards SHA-2(56)?
NeuStar You can leave a voice message at +1-571-434-5468
Spouses, like Internet protocols, lack necessary troubleshooting tools. Sigh.
More information about the Dnssec-deployment