Hello world, time to wake this list up, I think:
On the 7th January, a new more flexible and efficient collision attack
against SHA-1 was announced: SHA-1 is a shambles https://sha-mbles.github.io/
SHA-1 is deprecated but still used in DNSSEC by some zones, and this
collision attack means that some attacks against DNSSEC are now merely
logistically challenging rather than being cryptographically infeasible.
As a consequence, anyone who is using a SHA-1 DNSKEY algorithm (algorithm
numbers 7 or less) should upgrade. The recommended algorithms are 13
(ECDSAP256SHA256) or 8 (RSASHA256, with 2048 bit keys).
Towards the end of last year I started upgrading all our zones to
algorithm 13. This project is very nearly complete; what remains is
cam.ac.uk itself, plus a few reverse DNS zones and some zones delegated to
departments.
I've written a longer article on our DNS blog about the implications of
chosen prefix collisions for DNSSEC:
https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html
--
Tony Finch - Hostmaster - Cambridge University Information Services
<[log in to unmask]> <https://fanf2.user.srcf.net/>
########################################################################
To unsubscribe from the DNSSEC-DISCUSS list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=DNSSEC-DISCUSS&A=1
|