On 22/07/2024 11:17, A. Schulze wrote:
Hello,
The TLD .it is signed with Algorithm 10 / RSASHA512.
(https://dnsviz.net/d/it/Zp348A/dnssec/)
RFC 8624 say, RSASHA512 is NOT RECOMMENDED. Does anybody know if .it
will change it's algorithm some day?
Andreas
The table in RFC8624 is about implementation recommendations not which
algorithm you use for signing.
However, I agree that with RSASHA512 is not such a great idea as the RFC
slightly confusingly explains at the bottom of page 5:
"RSASHA512 is NOT RECOMMENDED for DNSSEC signing because it has not
seen wide deployment, but there are some deployments; hence, DNSSEC
validation MUST implement RSASHA512 to ensure interoperability.
There is no significant difference in cryptographic strength between
RSASHA512 and RSASHA256; therefore, use of RSASHA512 is discouraged
as it will only make deprecation of older algorithms harder. People
who wish to use a cryptographically stronger algorithm should switch
to elliptic curve cryptography algorithms."
I would change the first sentence of that to say signers not signing.
While I would encourage .it to switch to Alg. 13, I would be a lot more
worried by the UDP errors flagged by DNSViz.
regards
John
--
John Dickinson Sinodun Internet Technologies Ltd.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
