Warren Kumari <war...@kumari.net> wrote: > > I don't think that it is realistic to deprecate SHA-1 in TSIG for the > foreseeable future, but stronger recommendations about moving to > SHA-256 might be in order.
Yes. > There is already some text: For context, the preceding paragraph says: The only message digest algorithm specified in the first version of these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321], [RFC2104]). Although a review of its security [RFC6151] concluded that "it may not be urgent to remove HMAC-MD5 from the existing protocols", with the availability of more secure alternatives the opportunity has been taken to make the implementation of this algorithm optional. > The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as > compared to the 128 bits for MD5), and additional hash algorithms in > the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384, > and 512 bits may be preferred in some cases. This is because > increasingly successful cryptanalytic attacks are being made on the > shorter hashes. I think the quoted paragraph should say something like: [RFC4635] added mandatory support in TSIG for SHA-1 [FIPS180-4], [RFC3174]. SHA-1 collisions have been demonstrated so the MD5 security considerations apply to SHA-1 in a similar manner. Although support for hmac-sha1 in TSIG is still mandatory for compatibility reasons, existing uses should be replaced with hmac-sha256 or other SHA-2 digest algorithms [FIPS180-4], [RFC3874], [RFC6234]. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ German Bight: West veering northwest 4 or 5. Slight or moderate. Occasional drizzle. Good, occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
