Re: DS Algorithm selection and SHA1 deprecation

[Wes Hardaker <hardaker@tislabs.com>]

>>>>> On Wed, 07 Dec 2005 16:38:44 +0000, Alex Bligh <alex@alex.org.uk> said:

Alex> I guess my point is that provided validators continue accepting
Alex> SHA1, authoritative servers using SHA256 are still vulnerable to
Alex> attack, by spoofing SHA1 records if SHA-1 is broken.  IE the
Alex> operator will be helped not be using SHA-256, but by the
Alex> validator not accepting SHA-1.

If a zone operator publishes both SHA-256 and SHA-1 based records then
validators that support SHA-256 will always have a secure path to the
child.  Attackers can not remove the SHA-256 record in the DS RR set
since the RRSIG covering them wouldn't validate.  Thus a validator
would know that data was missing and wouldn't even get the point of
checking the SHA-1 hash.  The only way a SHA-1 DS record can be
attacked (assuming operators do actually prefer SHA-256) is if a
collision is found for an existing DS record and if the DS set only
contains SHA-1 based records.


-- 
Wes Hardaker
Sparta, Inc.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>