Warren Kumari <[email protected]> wrote: > Ok, I see the concern now, and *do* feel foolish for not getting it sooner...
I have learned a lot this week :-) I have been using DNSSEC for about 10 years and only this week have I had to care about the details of how an RRSIG is constructed. I saw the MD5 chosen-prefix collision certificate in 2008 and I thought, wow that's cool, but I didn't sweat the details. I saw the commentary from X.509 and TLS people about how shaky SHA-1 was in 2015, and I didn't examine the implications for DNSSEC. Same again after the SHA-1 collision in 2017. I saw the Eurocrypt SHA-1 chosen-prefix attack last year but I didn't think about the consequences. As soon as I saw the SHAmbles announcement I realised what it actually meant and that DNSSEC was in serious trouble. It took me a couple of afternoons to write the blog article. The second half and the more tricky cases owe a lot to discussions with Viktor. I, too, feel foolish for not getting it sooner - I can't complain there weren't enough clues! https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Mull of Galloway to Mull of Kintyre including the Firth of Clyde and North Channel: Mainly northwesterly 3 to 5, backing southerly 4 to 6, increasing 7 to severe gale 9 later. Smooth or slight at first in Firth of Clyde, otherwise moderate or rough. Showers, rain later. Good, occasionally poor later. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
