<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>There is a very good reason for not killing SHA1 right now in </div><div id="AppleMailSignature"><br><a href="https://tools.ietf.org/html/draft-wouters-sury-dnsop-algorithm-update-02">https://tools.ietf.org/html/draft-wouters-sury-dnsop-algorithm-update-02</a></div><div id="AppleMailSignature"><br>Sent from my iPhone</div><div><br>On Apr 23, 2017, at 12:46, Viktor Dukhovni via Unbound-users <<a href="mailto:unbound-users@unbound.net">unbound-users@unbound.net</a>> wrote:<br><br></div><blockquote type="cite"><div><span>On Sat, Apr 22, 2017 at 01:43:41PM +0200, A. Schulze wrote:</span><br><span></span><br><blockquote type="cite"><span>Am 22.04.2017 um 13:20 schrieb A. Schulze via Unbound-users:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Unbound 1.6.2rc1 maintainers prerelease is available:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span> DS records. NSEC3 is not disabled.</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>I tried --disable-sha1 and found any org. zone no longer got validated</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>(was handled like unsigned)</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>there are currently 2727 DS records in the root zone.</span><br></blockquote><blockquote type="cite"><span> 65 x Algorithm 5 for DNSKEY RSA/SHA-1</span><br></blockquote><span></span><br><span>Note that this includes the ".se" TLD which I believe has one of</span><br><span>the highest number of signed child 2LDs. Among zones for which</span><br><span>I can get complete zone data, the signed 2LD child count is:</span><br><span></span><br><span> 685654 se ALG 5 (RSA/SHA-1)</span><br><span> 654244 com ALG 8 (RSA/SHA-256)</span><br><span> 104376 net ALG 8</span><br><span> 84536 nu ALG 7 (RSA/SHA-1 NSEC3-SHA1)</span><br><span> 75838 org ALG 7</span><br><span> 19909 ovh ALG 8</span><br><span> 7401 xyz</span><br><span> ...</span><br><span></span><br><span>(Incomplete) data from other sources yields lower bounds for</span><br><span>additional TLDs:</span><br><span></span><br><span> 514361 nl ALG 8</span><br><span> 313133 fr ALG 8</span><br><span> 175890 cz ALG 10 (RSA/SHA-512)</span><br><span> 165568 no ALG 8</span><br><span> 116359 de ALG 8</span><br><span> 91986 eu ALG 8</span><br><span> 49890 br ALG 5</span><br><span> 19818 info ALG 7</span><br><span> 16756 hu ALG 8</span><br><span> 15379 biz ALG 8</span><br><span> 14167 pw ALG 7</span><br><span> 14009 be ALG 8</span><br><span> 5504 at ALG 8</span><br><span> ...</span><br><span></span><br><blockquote type="cite"><span>--disable-sha1 make 539 zones / ~20% of the root zone unsigned</span><br></blockquote><blockquote type="cite"><span>sound strongly not like "enabled on production systems" :-)</span><br></blockquote><span></span><br><span>Yes, this loses .se, .nu, .org, .br, .info and .pw which collectively</span><br><span>account for at least 930k signed 2LD domains out of a total of</span><br><span>around 3 million. So that's closer to 30% of the deployed base.</span><br><span></span><br><span>-- </span><br><span> Viktor.</span><br></div></blockquote></body></html>