On 2/13/19 3:51 AM, Alice Wonder wrote:
I see you are using algorithm 7 - I would recommend switching to either algorithm 13 or at least to 8.
Algorithm 7 uses a SHA1 hash.
See https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-04
That's a draft but soon will be an update to the standard.
Algorithm 13 (ECDSAP256SHA256) results in much smaller keys and signatures and is equivalent to about RSA-3072 in strength, and it uses a SHA-256 hash.
However note that changing algorithms will result in validation failure for few days unless done carefully.
Okay thanks. What ever problems it might cause I think the Alaskan Malamute Assistance League can deal with for a day or two. Seeing as I already caused a problem last weekend I see no reason not to repeat this weekend! But at least I can give some warning :)
As long as you don't change your KSK that information will not change.
I kind of figured this out on my own this morning when I woke up around 7AM MST. I guess I wanted to turn a mole hill into a mountain. Thank you so much for your help Alice.