<DNSEXT co-chair hat on>
Based on guidance from the security area, we will be fast tracking this
document. DS algorithm has been determined to be the weakest link in
the DNSSEC chain, thus we are adding new stronger algorithm now and retiring
SHA-1 from use in 2 years after this is published as RFC.
The expectation is that there will one more algorithm roll in about 5 years
when new generations of digest algorithm(s) has been reviewed and
standardized.
Please send comment on this version NOW to namedroppers,
the plan is to start DNSEXT WG last call around Nov 20'th.
The plan is to update digest algorithms used in signatures (RRSIG)
in the near future, along with the retirement of TSIG/MD5.
Olafur (DNSEXT co-chair)
At 15:50 11/11/2005, [EMAIL PROTECTED] wrote:
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the DNS Extensions Working Group of the IETF.
Title : Use of SHA-256 in DNSSEC Delegation
Signer (DS) Resource Records (RRs)
Author(s) : W. Hardaker
Filename : draft-ietf-dnsext-ds-sha256-00.txt
Pages : 7
Date : 2005-11-11
This document defines the use of the SHA-256 digest type for creating
digests of DNSKEY Resource Records (RRs). These digests can then be
published in Delegation Signer (DS) resource records (RRs) by a
parent zone.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-ds-sha256-00.txt
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
