On Mon, Aug 15, 2022 at 09:29:28AM -0400, Paul Wouters wrote:
> I think our decision should be based on the deplyment statistics of SHA1
> based zones and keys. I'd love to see the trending statistics from
> Viktor to guide us here. Last time we looked it was still in the order
> of 40% or so ?
The stats show a substantialy decline in both algorithms 5 and 7 by
apprxoimately 93% each from their peak zone counts, but the last 7%
have been fairly static for months, with very slow to negligible
downward trends.
Presently, out of 18,975,098 working signed delegations:
* 136,295 zones use RSASHA1-NSEC3-SHA1 (7).
* 21,254 zones use RSASHA1 (5).
So the number of eTLD+1 zones that rely on SHA-1 RRSIGs is a fairly
stable ~0.8%, and a stronger nudge would be needed for the remaining
holdouts to perform algorithm rollovers.
The holdouts include, for example:
- ietf.org
- irtf.org
- icann.org
- nsa.gov
- comcast.net
In private conversation with at least one guilty party, I encountered
significant pushback to the suggestion that it is time to move on.
Concerns about operational stability, coupled with a perception of low
risk (for zones where untrusted outsiders aren't positioned to propose
hostile RRsets exploiting chosen-prefix collisions) mean that the
suggestion to take action may be seen as meddlesome intrusion.
So that final 0.8% may be a tough crowd to convince...
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
