[dns-operations] Algorithm 5 and 7 trends (please move to 8 or 13)

Viktor Dukhovni ietf-dane at dukhovni.org
Fri May 29 05:35:31 UTC 2020


Enough time has passed since the need to abandon SHA-1 has become
more pressing to discern at least a couple short-term trend-lines.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: alg7.pdf
Type: application/pdf
Size: 10132 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200529/453bc985/attachment-0002.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alg5.pdf
Type: application/pdf
Size: 10368 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200529/453bc985/attachment-0003.pdf>
-------------- next part --------------


It seems that algorithm 7 is indeed slowly trending down (it would be
good to see a larger downward slope), but unfortunately, the number of
algorithm 5 domains is actually growing.

  * If you're continuing to sign new domains with algorithm 5, please
    reconsider.

  * If you have existing domains signed with algorithms 5 or 7, please
    migrate to 8 or 13.

Separately:

  * If you're managing one of the ~8k domains with 512-bit RSA keys,
    please migrate to a more reasonable RSA key size or P256.

-- 
	Viktor.



More information about the dns-operations mailing list