There is a very good reason for not killing SHA1 right now in https://tools.ietf.org/html/draft-wouters-sury-dnsop-algorithm-update-02
Sent from my iPhone > On Apr 23, 2017, at 12:46, Viktor Dukhovni via Unbound-users > <unbound-users@unbound.net> wrote: > >> On Sat, Apr 22, 2017 at 01:43:41PM +0200, A. Schulze wrote: >> >>> Am 22.04.2017 um 13:20 schrieb A. Schulze via Unbound-users: >>>> Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users: >>>> >>>> Unbound 1.6.2rc1 maintainers prerelease is available: >>>> - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and >>>> DS records. NSEC3 is not disabled. >>> >>> I tried --disable-sha1 and found any org. zone no longer got validated >>> (was handled like unsigned) >> >> there are currently 2727 DS records in the root zone. >> 65 x Algorithm 5 for DNSKEY RSA/SHA-1 > > Note that this includes the ".se" TLD which I believe has one of > the highest number of signed child 2LDs. Among zones for which > I can get complete zone data, the signed 2LD child count is: > > 685654 se ALG 5 (RSA/SHA-1) > 654244 com ALG 8 (RSA/SHA-256) > 104376 net ALG 8 > 84536 nu ALG 7 (RSA/SHA-1 NSEC3-SHA1) > 75838 org ALG 7 > 19909 ovh ALG 8 > 7401 xyz > ... > > (Incomplete) data from other sources yields lower bounds for > additional TLDs: > > 514361 nl ALG 8 > 313133 fr ALG 8 > 175890 cz ALG 10 (RSA/SHA-512) > 165568 no ALG 8 > 116359 de ALG 8 > 91986 eu ALG 8 > 49890 br ALG 5 > 19818 info ALG 7 > 16756 hu ALG 8 > 15379 biz ALG 8 > 14167 pw ALG 7 > 14009 be ALG 8 > 5504 at ALG 8 > ... > >> --disable-sha1 make 539 zones / ~20% of the root zone unsigned >> sound strongly not like "enabled on production systems" :-) > > Yes, this loses .se, .nu, .org, .br, .info and .pw which collectively > account for at least 930k signed 2LD domains out of a total of > around 3 million. So that's closer to 30% of the deployed base. > > -- > Viktor.