[dns-operations] DNSSEC: state of it / italy
John Dickinson
jad at sinodun.com
Mon Jul 22 10:58:03 UTC 2024
On 22/07/2024 11:17, A. Schulze wrote:
> Hello,
>
> The TLD .it is signed with Algorithm 10 / RSASHA512.
> (https://dnsviz.net/d/it/Zp348A/dnssec/)
> RFC 8624 say, RSASHA512 is NOT RECOMMENDED. Does anybody know if .it
> will change it's algorithm some day?
>
> Andreas
>
The table in RFC8624 is about implementation recommendations not which
algorithm you use for signing.
However, I agree that with RSASHA512 is not such a great idea as the RFC
slightly confusingly explains at the bottom of page 5:
"RSASHA512 is NOT RECOMMENDED for DNSSEC signing because it has not
seen wide deployment, but there are some deployments; hence, DNSSEC
validation MUST implement RSASHA512 to ensure interoperability.
There is no significant difference in cryptographic strength between
RSASHA512 and RSASHA256; therefore, use of RSASHA512 is discouraged
as it will only make deprecation of older algorithms harder. People
who wish to use a cryptographically stronger algorithm should switch
to elliptic curve cryptography algorithms."
I would change the first sentence of that to say signers not signing.
While I would encourage .it to switch to Alg. 13, I would be a lot more
worried by the UDP errors flagged by DNSViz.
regards
John
--
John Dickinson Sinodun Internet Technologies Ltd.
More information about the dns-operations
mailing list