Root Zone DNSSEC Deployment Technical Status Update
Steven Bellovin
smb at cs.columbia.edu
Sun Jul 18 07:19:18 EDT 2010
On Jul 17, 2010, at 3:30 05PM, Taral wrote:
> On Sat, Jul 17, 2010 at 7:41 AM, Paul Wouters <paul at xelerance.com> wrote:
>>> Several are using old SHA-1 hashes...
>>
>> "old" ?
>
> "old" in that they are explicitly not recommended by the latest specs
> I was looking at.
DNSSEC signatures do not need to have a long lifetime; no one cares if, in 10 years, someone can find a preimage attack against today's signed zones. This is unlike many other uses of digital signatures, where you may have to present evidence in court about what some did or did not sign.
It's also unclear to me what the actual deployment is of stronger algorithms, or of code that will do the right thing if multiple signatures are present.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list