[dns-operations] any registries require DNSKEY not DS?
Tony Finch
dot at dotat.at
Thu Jan 23 19:10:17 UTC 2020
Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> Which is not to say that one should continue to use SHA-1 in DS RRs,
> there but there is little risk in doing for the foreseable future.
Right. Getting rid of SHA-1 in DS and CDS might not be cryptographically
necessary [*], but it's required for protocol conformance, and it's
important to actually make visible progress to deprecating SHA-1 even if
we start with the easy but less important steps.
[*] Registries that don't check DS parameters, like the examples you gave,
are vulnerable so chosen prefix collisions if they are relaxed enough to
allow 800-ish bytes of digest...
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Shannon: Variable 4 or less, becoming south or southwest 4 to 6. Moderate,
becoming rough in northwest. Mainly fair. Good.
More information about the dns-operations
mailing list