Well anyone using RedHat Enterprise Linux 9 / Oracle Linux 9 already has RSASHA1 / NSEC3RSASHA1 disabled.
BIND will automatically disable these algorithms as of the September releases if they are not supported by the crypto provider. So it will no longer require named.conf changes. -- Mark Andrews > On 18 Aug 2022, at 08:45, Viktor Dukhovni <[email protected]> wrote: > > On Tue, Aug 16, 2022 at 02:55:35PM +0000, Paul Hoffman wrote: > >> Another way to look at this is not from all signed delegations >> anywhere, but for web sites that are most popular. Using the Tranco >> list, choosing from the top 100,000 names, 6,389 are signed; of those, >> 349 sign with algorithm 5 or 7. Thus, for the popular sites, the >> percentage is closer to 5%, not 1%. > > While I'm not impressed by the significance of the last ~900k of the > Tranco list, indeed there is some concentration of deprecated DNSSEC > algorithms closer to the top of the list, among the top 10k we see > the domains below my sig. > > How realistic is it to prod these to migrate? The DHS folks had > recently put out an RFP for managed DNS service, not only for the .GOV > registry, but also for operation of the delegated domains, and > presumably at some point many of the .GOV slowpokes might move to a > managed service with more modern keys, ... This will likely take > a couple of years (if not delayed or cancelled). > > As for the rest, not clear what would cause them to switch, and how hard > we should try. There hasn't been much downward momentum in algorithm 5 > and 7 use after the initial 93% decline at major hosting providers. > > [ Even transip.nl, who've migrated all their customers, haven't yet > migrated their own domain. Cobbler's children and all that... ] > > -- > Viktor. > > paypal.com 77 > comcast.net 145 > cdc.gov 179 > ietf.org 473 > yandex.com 548 > paloaltonetworks.com 633 > xfinity.com 646 > va.gov 650 > nist.gov 664 > service-now.com 842 > comcast.com 901 > cmu.edu 939 > uchicago.edu 991 > ed.gov 999 > uk.com 1065 > census.gov 1108 > sec.gov 1148 > senate.gov 1176 > icann.org 1333 > accenture.com 1369 > centralnic.net 1433 > archives.gov 1489 > tamu.edu 1542 > uspto.gov 1565 > treasury.gov 1584 > fcc.gov 1638 > us.com 1671 > paypal.me 1918 > pitt.edu 1998 > eu.com 2648 > hud.gov 2668 > defense.gov 2806 > mass.gov 2923 > eia.gov 2946 > federalregister.gov 2996 > cms.gov 3030 > filezilla-project.org 3168 > lsu.edu 3204 > nsf.gov 3292 > imperial.ac.uk 3434 > maryland.gov 3537 > tn.gov 3667 > transip.nl 3962 > supremecourt.gov 4113 > us.org 4305 > ky.gov 4382 > gao.gov 4583 > lbl.gov 4598 > medicare.gov 4633 > handle.net 4699 > ustc.edu.cn 4706 > paypalobjects.com 5051 > d-net.pro 5119 > healthcare.gov 5123 > consumerfinance.gov 5458 > tznic.or.tz 6065 > ru.com 6243 > planalto.gov.br 6366 > kh.edu.tw 6652 > ga.gov 6658 > uib.no 6738 > umbc.edu 6869 > hrsa.gov 7076 > k8.com.br 7217 > paypalinc.com 7314 > nrel.gov 7599 > uniregistry.info 7608 > llnl.gov 7663 > export.gov 7833 > ic.ac.uk 7890 > treas.gov 8072 > upf.edu 8217 > concordia.ca 8258 > nga.gov 8366 > in.net 8431 > nau.edu 8480 > ulisboa.pt 8650 > comcastbusiness.net 8769 > bea.gov 9250 > uscg.mil 9579 > szu.edu.cn 9745 > nsa.gov 9862 > uniregistry.net 9974 > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
