On 2015-08-06 17:26, Heiko Richter wrote:
Root is signed with RSASHA256 at the moment. There is no sence in having a more secure algorithm because anybody who can't crack that algorithm may just attack the weakest link in the chain above you.
This only holds while assuming similar key rotation schemes, I believe? If the roots are signed with RSASHA256 and rotate every 3 months, while you sign, set it and forget it, you're vulnerable to anyone that can crack RSASHA256 over any period of time.
Probably a theoretical difference, if it becomes feasible for someone to crack RSASHA256 in any reasonable level of time, it would be equally feasible to invest in 2x-8x the hardware and start breaking roots in under 3 months.
-- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users