Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
Draft of message to be sent after approval:
From: The IESG
To: IETF-Announce Cc: Internet Architecture Board , RFC Editor , dnsext mailing list , dnsext chair Subject: Protocol Action: 'Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)' to Proposed Standard The IESG has approved the following document: - 'Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs) ' as a Proposed Standard This document is the product of the DNS Extensions Working Group. The IESG contact persons are Margaret Wasserman and Mark Townsley. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-dnsext-ds-sha256-06.txt
Technical Summary Given the crumbling confidence in SHA-1, DNSEXT with the urging of Russ Housley,decided to address the weakest part of the DNSSEC chain, the long lived digest in the DS record. DS is used to transfer trust from a parent zone to a DNSKEY atchild. The DS record stores a digest of the public part of the key that child uses to sign its own DNSKEY set. The change to SHA-256 is considered significant improvement in resilience, the Working group is aware that this might be a temporary measure until new generation of standardized Digest algorithms becomes available This document also contains some guidance on how implementations treat DS sets where there are multiple digest algorithms used. This part of the document has seen most discussion and clarifications of text. There is a strong consensus behind this document. Working Group Summary This document is a work item of the DNSEXT WG. The WG has consensus to publish this document as a Proposed Standard. Protocol Quality This document was reviewed for the IESG by Margaret Wasserman.