[Dnssec-deployment] Is RSASHA256 mature enough for a TLD?

Matt Larson mlarson at verisign.com
Fri Jun 11 17:12:10 EDT 2010

On Fri, 11 Jun 2010, Ed Lewis wrote:
> I'm looking for the conventional wisdom on whether we should use RSASHA1 
> or RSASHA256 for our next zone to sign.  Trying to avoid starting a key 
> mgt instance on RSASHA1 and then having to roll to RSASHA256 in the near 
> future.

I'm surprised by your question: considering that the root zone is
signed with RSASHA256, any validators wanting to really join the
DNSSEC party are going to have to understand that algorithm, and soon.

Based on this line of reasoning (that RSASHA256 in the root will
accelerate deployment of code that can validate it), and to avoid the
potential difficulties and instability of an algorithm roll down the
road, .com and .net will use RSASHA256 from the beginning.


More information about the Dnssec-deployment mailing list