On Aug 15, 2022, at 12:36 PM, Viktor Dukhovni <[email protected]> wrote: > Presently, out of 18,975,098 working signed delegations: > > * 136,295 zones use RSASHA1-NSEC3-SHA1 (7). > * 21,254 zones use RSASHA1 (5). > > So the number of eTLD+1 zones that rely on SHA-1 RRSIGs is a fairly > stable ~0.8%, and a stronger nudge would be needed for the remaining > holdouts to perform algorithm rollovers.
Another way to look at this is not from all signed delegations anywhere, but for web sites that are most popular. Using the Tranco list, choosing from the top 100,000 names, 6,389 are signed; of those, 349 sign with algorithm 5 or 7. Thus, for the popular sites, the percentage is closer to 5%, not 1%. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
