On 2/13/19 3:51 AM, Alice Wonder wrote:
I see you are using algorithm 7 - I would recommend switching to
either algorithm 13 or at least to 8.
Algorithm 7 uses a SHA1 hash.
See https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-04
That's a draft but soon will be an update to the standard.
Algorithm 13 (ECDSAP256SHA256) results in much smaller keys and
signatures and is equivalent to about RSA-3072 in strength, and it
uses a SHA-256 hash.
However note that changing algorithms will result in validation
failure for few days unless done carefully.
Okay thanks. What ever problems it might cause I think the Alaskan
Malamute Assistance League can deal with for a day or two. Seeing as I
already caused a problem last weekend I see no reason not to repeat this
weekend! But at least I can give some warning :)
As long as you don't change your KSK that information will not change.
I kind of figured this out on my own this morning when I woke up around
7AM MST. I guess I wanted to turn a mole hill into a mountain. Thank you
so much for your help Alice.
--
Paul (ganci@xxxxxxxxxx)
Cell: (303)257-5208
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
