[dns-operations] [Ext] Re: help with a resolution

Matthew Pounsett matt at conundrum.com
Fri Jan 10 13:27:49 UTC 2020


On Fri, 10 Jan 2020 at 08:08, Matthew Pounsett <matt at conundrum.com> wrote:

>
>
> On Thu, 9 Jan 2020 at 20:47, Tony Finch <dot at dotat.at> wrote:
>
>> I saw the Eurocrypt SHA-1 chosen-prefix attack last year but I didn't
>> think about the consequences. As soon as I saw the SHAmbles announcement I
>> realised what it actually meant and that DNSSEC was in serious trouble.
>>
>>
> What are the implications for NSEC3, given that both (current) algorithm
> numbers rely on SHA-1?
>

Nevermind.. a split thread meant the answer to my question was further down
in my inbox.

So an attack against a TLD using NSEC3 is logistically difficult, but it's
not impossible.. so I guess we'd better get on with standardizing
RSASHA256-NSEC3-SHA256.
There are a LOT of TLDs—particularly CC's—using algo 7.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200110/ea93916d/attachment.html>


More information about the dns-operations mailing list