On 2015-08-06 17:26, Heiko Richter wrote:
Root is signed with RSASHA256 at the moment. There is no sence in
having a more secure algorithm because anybody who can't crack that
algorithm may just attack the weakest link in the chain above you.

This only holds while assuming similar key rotation schemes, I believe? If the roots are signed with RSASHA256 and rotate every 3 months, while you sign, set it and forget it, you're vulnerable to anyone that can crack RSASHA256 over any period of time.

Probably a theoretical difference, if it becomes feasible for someone to crack RSASHA256 in any reasonable level of time, it would be equally feasible to invest in 2x-8x the hardware and start breaking roots in under 3 months.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to