do not stupidly delete ZSK files
Dave Warren
davew at hireahit.com
Fri Aug 7 00:35:18 UTC 2015
On 2015-08-06 17:26, Heiko Richter wrote:
> Root is signed with RSASHA256 at the moment. There is no sence in
> having a more secure algorithm because anybody who can't crack that
> algorithm may just attack the weakest link in the chain above you.
This only holds while assuming similar key rotation schemes, I believe?
If the roots are signed with RSASHA256 and rotate every 3 months, while
you sign, set it and forget it, you're vulnerable to anyone that can
crack RSASHA256 over any period of time.
Probably a theoretical difference, if it becomes feasible for someone to
crack RSASHA256 in any reasonable level of time, it would be equally
feasible to invest in 2x-8x the hardware and start breaking roots in
under 3 months.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
More information about the bind-users
mailing list