Re: Fw: Root Zone DNSSEC Deployment Technical Status Update

[bmanning]

On Sat, Jul 17, 2010 at 10:41:10AM -0400, Paul Wouters wrote:
 On Fri, 16 Jul 2010, Taral wrote:
 
 Neat, but not (yet) useful... only these TLDs have DS records:
 
 The rest will follow soon. And it is not that you had to stop those
 TLD trust anchors just now.


actually, soon is a relative term.  Some have stated they are
waiting for operational issues to settle before they proceed.
could be a few months, could be a few years.

 
 Several are using old SHA-1 hashes...
 
 old ?

:) really old.
 
 Paul
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Root Zone DNSSEC Deployment Technical Status Update

[Steven Bellovin]

On Jul 17, 2010, at 3:30 05PM, Taral wrote:

 On Sat, Jul 17, 2010 at 7:41 AM, Paul Wouters p...@xelerance.com wrote:
 Several are using old SHA-1 hashes...
 
 old ?
 
 old in that they are explicitly not recommended by the latest specs
 I was looking at.

DNSSEC signatures do not need to have a long lifetime; no one cares if, in 10 
years, someone can find a preimage attack against today's signed zones.  This 
is unlike many other uses of digital signatures, where you may have to present 
evidence in court about what some did or did not sign.

It's also unclear to me what the actual deployment is of stronger algorithms, 
or of code that will do the right thing if multiple signatures are present.

--Steve Bellovin, http://www.cs.columbia.edu/~smb





-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com