On 5/2/24 10:13, Philip Homburg wrote:
is getting people to sign there zones in the first place (and adding
transport security). But we have time to just kill 140k signed for
no technical reasons?
In the end the current draft has a strong negative effect on the direct
and indirect
> e.g. as other OS vendors follow suit and SHA-1 support
> disappears from crypto libraries.
As described by Mark Andrews, one thing that made the Redhat situation more
complex is that they didn't just remove SHA1 signing support, they modified
openssl to return bogus RSA valdation results at runt
It appears that said:
>There are other reasons to deprecate SHA-1 in DNSSEC than mathematical concern
>about the use of that particular digest algorithm in the protocol. Problems
>with
>SHA-1 definitively exist in other places, in protocols that are in much more
>widespread use than DNSSEC. Fo
On May 1, 2024, at 07:32, Philip Homburg wrote:
>> Their zone is already made insecure by a number of OS/DNS implementation
>> combos. Perhaps someone with RIPE Atlas credits can run a check like the
>> equivalent of "dig dnskey nic.kpn +dnssec" to see how many endusers
>> already get insecure an
>Their zone is already made insecure by a number of OS/DNS implementation
>combos. Perhaps someone with RIPE Atlas credits can run a check like the
>equivalent of "dig dnskey nic.kpn +dnssec" to see how many endusers
>already get insecure answers for this?
This reads as Redhat strong-arming the IE
On Tue, 30 Apr 2024, Paul Hoffman wrote:
Until someone can show that a reduction in collision resistance can lead to a reduction in real-world
security for DNSSEC, we can wait for "MUST NOT validate", possibly forever. There is no good reason
for this group to say to a zone operator who signed
On Apr 30, 2024, at 16:20, Wes Hardaker wrote:
> 3. The whole discussion, IMHO, is side-stepping the real issue: if not
> now, then when? IE, do we never put something at MUST NOT? Is there a
> usage threshold? Is it "must be zero"? Is it "known to be broken and
> everyone must have a flag day
