JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for DNSSEC-DISCUSS Archives

DNSSEC-DISCUSS Archives

DNSSEC-DISCUSS Archives


DNSSEC-DISCUSS@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font
LISTSERV Archives

LISTSERV Archives
DNSSEC-DISCUSS Home

DNSSEC-DISCUSS Home
DNSSEC-DISCUSS January 2020

DNSSEC-DISCUSS January 2020

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

 Log In

Log In

 Get Password

Get Password

Subject:

SHA-1 chosen prefix collisions and DNSSEC

From:

Tony Finch <[log in to unmask]>

Reply-To:

Tony Finch <[log in to unmask]>

Date:

Fri, 10 Jan 2020 14:00:41 +0000

Content-Type:

text/plain

Parts/Attachments:
Parts/Attachments

text/plain (32 lines) 

Hello world, time to wake this list up, I think:

On the 7th January, a new more flexible and efficient collision attack
against SHA-1 was announced: SHA-1 is a shambles https://sha-mbles.github.io/

SHA-1 is deprecated but still used in DNSSEC by some zones, and this
collision attack means that some attacks against DNSSEC are now merely
logistically challenging rather than being cryptographically infeasible.

As a consequence, anyone who is using a SHA-1 DNSKEY algorithm (algorithm
numbers 7 or less) should upgrade. The recommended algorithms are 13
(ECDSAP256SHA256) or 8 (RSASHA256, with 2048 bit keys).

Towards the end of last year I started upgrading all our zones to
algorithm 13. This project is very nearly complete; what remains is
cam.ac.uk itself, plus a few reverse DNS zones and some zones delegated to
departments.

I've written a longer article on our DNS blog about the implications of
chosen prefix collisions for DNSSEC:

https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html

-- 
Tony Finch - Hostmaster - Cambridge University Information Services
      <[log in to unmask]>   <https://fanf2.user.srcf.net/>

########################################################################

To unsubscribe from the DNSSEC-DISCUSS list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=DNSSEC-DISCUSS&A=1

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

February 2024
January 2020
October 2018
May 2018
November 2017
October 2017
October 2016
September 2016
July 2016
June 2016
May 2016
May 2015
February 2015
January 2015
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
August 2012
July 2012
June 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager