On Fri, Jan 16, 2015 at 10:59 AM, Olafur Gudmundsson <o...@ogud.com> wrote: > >> On Jan 16, 2015, at 5:13 AM, Marco Davids (SIDN) <marco.dav...@sidn.nl> >> wrote: >> >> Hi, >> >> SHA-1 for TLS-certificates is considered insufficient nowadays. >> >> But what about the usage of RSA/SHA-1 in DNSSEC ? >> >> Should TLD's such as .se make preparations for an algorithm roll-over? >> >> -- >> Marco >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > Yes, > but they should not restrict themselves to just RSA-xxx as a rollover target > :-) > > ECDSA is available and is a good alternative if you want stronger zone > signing signatures than 1024 bits. > Hopefully we will have a modern ECC signature algorithm available in few > years.
Currently a number of validators don't do ECC, because of the openssl library from the distribution they are using doesn't include support. This makes ECC an unsupported algorithm, and so it "fails open" (See RFC4035, Section 5.2, around "If the validator does not support any of the algorithms"...). Geoff also has a good blog post (http://labs.apnic.net/blabs/?p=544) and presentations at various places (e.g: https://ripe69.ripe.net/presentations/135-18-2014-11-01-ecc.pptx ). I and some others disagree on the impact of this, but my view is that if I sign a zone it is because I'd like everyone doing DNSSEC to actually validate the answers, not just shrug and move on... I suggest that folk whose ssl libraries don't support ECC should figure out why (see http://tools.ietf.org/html/rfc6090 and also Geoff's blog post for some background) and then recompile with support[0]. W [0]: Assuming they find that appropriate, of course... > > Olafur > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop