> On Jan 16, 2015, at 5:13 AM, Marco Davids (SIDN) <marco.dav...@sidn.nl> wrote: > > Hi, > > SHA-1 for TLS-certificates is considered insufficient nowadays. > > But what about the usage of RSA/SHA-1 in DNSSEC ? > > Should TLD's such as .se make preparations for an algorithm roll-over? > > -- > Marco > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
Yes, but they should not restrict themselves to just RSA-xxx as a rollover target :-) ECDSA is available and is a good alternative if you want stronger zone signing signatures than 1024 bits. Hopefully we will have a modern ECC signature algorithm available in few years. Olafur _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
