[dns-operations] thoughts on DNSSEC

Chris Thompson cet1 at cam.ac.uk
Wed Jul 25 14:08:13 UTC 2012

On Jul 25 2012, Francis Dupont wrote:

> In your previous mail you wrote:
>>  What about always using both types of DS record?  Why does everyone
>>  publish both SHA-1 and SHA-256 digests?  RFC 4509 is more than 6
>>  years old.
>=> in fact perhaps it is the right time to jump to SHA-256 only?

One data point: of 89 TLDs with DS records in the root zone,

  5 use type 1 (SHA-1) only   [they are BR, MM, NA, PR, TH]
 47 use both types 1 and 2
 37 use type 2 (SHA-256) only

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list