Technical Summary
Given the crumbling confidence in SHA-1, DNSEXT with the urging of Russ Housley,decided to address the weakest part of the DNSSEC chain, the long lived digest
in the DS record. DS is used to transfer trust from a parent zone to a DNSKEY atchild. The DS record stores a digest of the public part of the key that child
uses to sign its own DNSKEY set.
The change to SHA-256 is considered significant improvement in resilience, the
Working group is aware that this might be a temporary measure until new
generation of standardized Digest algorithms becomes available
This document also contains some guidance on how implementations treat DS sets
where there are multiple digest algorithms used. This part of the document has
seen most discussion and clarifications of text. There is a strong consensus
behind this document.
Working Group Summary
This document is a work item of the DNSEXT WG. The WG has
consensus to publish this document as a Proposed Standard.
Protocol Quality
This document was reviewed for the IESG by Margaret Wasserman.