Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > Which is not to say that one should continue to use SHA-1 in DS RRs, > there but there is little risk in doing for the foreseable future.
Right. Getting rid of SHA-1 in DS and CDS might not be cryptographically necessary [*], but it's required for protocol conformance, and it's important to actually make visible progress to deprecating SHA-1 even if we start with the easy but less important steps. [*] Registries that don't check DS parameters, like the examples you gave, are vulnerable so chosen prefix collisions if they are relaxed enough to allow 800-ish bytes of digest... Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Shannon: Variable 4 or less, becoming south or southwest 4 to 6. Moderate, becoming rough in northwest. Mainly fair. Good. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations