[dns-operations] Algorithm 5 and 7 trends (please move to 8 or 13)
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri May 29 05:35:31 UTC 2020
Enough time has passed since the need to abandon SHA-1 has become
more pressing to discern at least a couple short-term trend-lines.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alg7.pdf
Type: application/pdf
Size: 10132 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200529/453bc985/attachment.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alg5.pdf
Type: application/pdf
Size: 10368 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200529/453bc985/attachment-0001.pdf>
-------------- next part --------------
It seems that algorithm 7 is indeed slowly trending down (it would be
good to see a larger downward slope), but unfortunately, the number of
algorithm 5 domains is actually growing.
* If you're continuing to sign new domains with algorithm 5, please
reconsider.
* If you have existing domains signed with algorithms 5 or 7, please
migrate to 8 or 13.
Separately:
* If you're managing one of the ~8k domains with 512-bit RSA keys,
please migrate to a more reasonable RSA key size or P256.
--
Viktor.
More information about the dns-operations
mailing list