On Wed, Mar 23, 2022 at 3:20 PM Petr Menšík <pemen...@redhat.com> wrote: > > Yes, it says so. It also says SHA-1 is not recommended for new > signatures and ietf.org signature was made at 20220318000627.
It's more accurate to say that it's not recommended for new deployments. Operators are encouraged to migrate to more secure algorithms, but given an existing deployment there's no MUST associated with that migration, yet. > Is there > reason why DNS is so better protected than TLS certificates? Is its > shorter message length a good protection? I don't understand the > difference between > It's to do with the expected lifetime of the signatures, and the fact that we're dealing with signatures, not encryption. There is no need to have years of protection from a single key or signature, as there is with encryption and privacy, as is intended for TLS. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
