[Dnssec-deployment] Is RSASHA256 mature enough for a TLD?
cet1 at cam.ac.uk
Sat Jun 12 13:13:25 EDT 2010
On Jun 11 2010, Joe Abley wrote:
>On 2010-06-11, at 15:51, Edward Lewis wrote:
>> I'm looking for the conventional wisdom on whether we should use
>> RSASHA1 or RSASHA256 for our next zone to sign. Trying to avoid
>> starting a key mgt instance on RSASHA1 and then having to roll to
>> RSASHA256 in the near future.
>> I see the DURZ uses RSASHA256...but no one can validate it for some
>> reason. (;))
>ARPA also uses RSASHA256.
UK [Nominet] and PM [AFNIC] as well, though neither are advertising
their keys yet (AFAIK).
Ask yourself "do I care if validators stuck on BIND 9.5 or earlier,
who also won't be able to validate zones using NSEC3, cannot validate
my zone?". The answer *might* be "yes", in which case use RSASHA1
(and NSEC, of course).
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the Dnssec-deployment