<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>There is a very good reason for not killing SHA1 right now in </div><div id="AppleMailSignature"><br><a href="https://tools.ietf.org/html/draft-wouters-sury-dnsop-algorithm-update-02">https://tools.ietf.org/html/draft-wouters-sury-dnsop-algorithm-update-02</a></div><div id="AppleMailSignature"><br>Sent from my iPhone</div><div><br>On Apr 23, 2017, at 12:46, Viktor Dukhovni via Unbound-users <<a href="mailto:unbound-users@unbound.net">unbound-users@unbound.net</a>> wrote:<br><br></div><blockquote type="cite"><div><span>On Sat, Apr 22, 2017 at 01:43:41PM +0200, A. Schulze wrote:</span><br><span></span><br><blockquote type="cite"><span>Am 22.04.2017 um 13:20 schrieb A. Schulze via Unbound-users:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Unbound 1.6.2rc1 maintainers prerelease is available:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>  DS records.  NSEC3 is not disabled.</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>I tried --disable-sha1 and found any org. zone no longer got validated</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>(was handled like unsigned)</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>there are currently 2727 DS records in the root zone.</span><br></blockquote><blockquote type="cite"><span>  65 x Algorithm 5  for DNSKEY RSA/SHA-1</span><br></blockquote><span></span><br><span>Note that this includes the ".se" TLD which I believe has one of</span><br><span>the highest number of signed child 2LDs.  Among zones for which</span><br><span>I can get complete zone data, the signed 2LD child count is:</span><br><span></span><br><span>  685654 se        ALG 5    (RSA/SHA-1)</span><br><span>  654244 com        ALG 8    (RSA/SHA-256)</span><br><span>  104376 net        ALG 8</span><br><span>   84536 nu        ALG 7    (RSA/SHA-1 NSEC3-SHA1)</span><br><span>   75838 org        ALG 7</span><br><span>   19909 ovh        ALG 8</span><br><span>    7401 xyz</span><br><span>         ...</span><br><span></span><br><span>(Incomplete) data from other sources yields lower bounds for</span><br><span>additional TLDs:</span><br><span></span><br><span>    514361 nl        ALG 8</span><br><span>    313133 fr        ALG 8</span><br><span>    175890 cz        ALG 10    (RSA/SHA-512)</span><br><span>    165568 no        ALG 8</span><br><span>    116359 de        ALG 8</span><br><span>     91986 eu        ALG 8</span><br><span>     49890 br        ALG 5</span><br><span>     19818 info        ALG 7</span><br><span>     16756 hu        ALG 8</span><br><span>     15379 biz        ALG 8</span><br><span>     14167 pw        ALG 7</span><br><span>     14009 be        ALG 8</span><br><span>      5504 at        ALG 8</span><br><span>       ...</span><br><span></span><br><blockquote type="cite"><span>--disable-sha1 make 539 zones / ~20% of the root zone unsigned</span><br></blockquote><blockquote type="cite"><span>sound strongly not like "enabled on production systems" :-)</span><br></blockquote><span></span><br><span>Yes, this loses .se, .nu, .org, .br, .info and .pw which collectively</span><br><span>account for at least 930k signed 2LD domains out of a total of</span><br><span>around 3 million.  So that's closer to 30% of the deployed base.</span><br><span></span><br><span>-- </span><br><span>    Viktor.</span><br></div></blockquote></body></html>