Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
RFC 4509

Approval announcement
Draft of message to be sent after approval:

From: The IESG <>
To: IETF-Announce <>
Cc: Internet Architecture Board <>,
    RFC Editor <>, 
    dnsext mailing list <>, 
    dnsext chair <>
Subject: Protocol Action: 'Use of SHA-256 in DNSSEC Delegation 
         Signer (DS) Resource Records (RRs)' to Proposed Standard 

The IESG has approved the following document:

- 'Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs) '
   <draft-ietf-dnsext-ds-sha256-06.txt> as a Proposed Standard

This document is the product of the DNS Extensions Working Group. 

The IESG contact persons are Margaret Wasserman and Mark Townsley.

A URL of this Internet-Draft is:

Technical Summary
Given the crumbling confidence in SHA-1, DNSEXT with the urging of Russ Housley,decided to address the weakest part of the DNSSEC chain, the long lived digest
in the DS record. DS is used to transfer trust from a parent zone to a DNSKEY atchild. The DS record stores a digest of the public part of the key that child
uses to sign its own DNSKEY set.

The change to SHA-256 is considered significant improvement in resilience, the
Working group is aware that this might be a temporary measure until new
generation of standardized Digest algorithms becomes available

This document also contains some guidance on how implementations treat DS sets
where there are multiple digest algorithms used.  This part of the document has
seen most discussion and clarifications of text. There is a strong consensus
behind this document.
Working Group Summary
   This document is a work item of the DNSEXT WG.  The WG has 
   consensus to publish this document as a Proposed Standard.
Protocol Quality
   This document was reviewed for the IESG by Margaret Wasserman.