[Dnssec-deployment] Is RSASHA256 mature enough for a TLD?

Matt Larson mlarson at verisign.com
Sat Jun 12 13:34:32 EDT 2010

On Sat, 12 Jun 2010, Ed Lewis wrote:
> At 17:12 -0400 6/11/10, Matt Larson wrote:
>> I'm surprised by your question: considering that the root zone is
> Given the "gotcha's" we've experienced in the past two years, I thought 
> it is better to be safe than sorry.

What are you referring to?

> (And no one's validating the root yet.)

The reasoning I outlined doesn't require that people be validating the
root zone content now, just that the root is one of the early zones to
sign with RSASHA256 and that other big zones (TLDs) have already
chosen RSASHA256.


More information about the Dnssec-deployment mailing list