Yes, in my opinion it is a good idea to have a plan to migrate to a new algorithm and RSA/SHA-256 is probably the candidate as ECDSA is not widely implemented as far as we can tell (but not sure). NIST is advocating migration (or initial deployment) of RSA/SHA-256 within the .gov TLD. The .gov TLD rolled to RSA/SHA-256 a few years ago when the new operator took over. In the second level, it's roughly half, with the other half using code 7 (RSA/SHA1 with NSEC3) and a few deployments that were still using code 5.
I have heard of some large enterprises removing their DS RRset from the parent zone before performing an algorithm roll to prevent validation errors. They were an island during the roll, then added the new KSK's DS RRset when completed. Not ideal, but they were constrained by resources and time. They were also migrating several dozen zones at once too, not just one. I don't think that is a good path for a TLD though. Scott On Jan 16, 2015, at 5:13 AM, Marco Davids (SIDN) <marco.dav...@sidn.nl> wrote: > Hi, > > SHA-1 for TLS-certificates is considered insufficient nowadays. > > But what about the usage of RSA/SHA-1 in DNSSEC ? > > Should TLD's such as .se make preparations for an algorithm roll-over? > > -- > Marco > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop =================================== Scott Rose NIST scott.r...@nist.gov +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ https://www.had-pilot.com/ =================================== _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
