--- 1/draft-ietf-dnsext-ds-sha256-03.txt 2006-02-04 17:00:45.000000000 +0100 +++ 2/draft-ietf-dnsext-ds-sha256-04.txt 2006-02-04 17:00:45.000000000 +0100 @@ -1,17 +1,17 @@ Network Working Group W. Hardaker Internet-Draft Sparta -Expires: July 10, 2006 January 6, 2006 +Expires: July 17, 2006 January 13, 2006 Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs) - draft-ietf-dnsext-ds-sha256-03.txt + draft-ietf-dnsext-ds-sha256-04.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -22,21 +22,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on July 10, 2006. + This Internet-Draft will expire on July 17, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document specifies how to use the SHA-256 digest type in DNS Delegation Signer (DS) Resource Records (RRs). DS records, when stored in a parent zone, point to key signing DNSKEY key(s) in a @@ -194,22 +194,22 @@ present but invalid. For example, if the following conditions are all true: o Both SHA-1 and SHA-256 based digests are published in DS records within a parent zone for a given child zone's DNSKEY. o The DS record with the SHA-1 digest matches the digest computed using the child zone's DNSKEY. - o The DS record with the SHA-256 digest fails to match the signature - computed using the child zone's DNSKEY + o The DS record with the SHA-256 digest fails to match the digest + computed using the child zone's DNSKEY. Then if the validator accepts the above situation as secure then this can be used as a downgrade attack since the stronger SHA-256 digest is ignored. 6.2. SHA-1 vs SHA-256 Considerations for DS Records Because of the weaknesses recently discovered within the SHA-1 algorithm, users of DNSSEC are encouraged to deploy the use of SHA- 256 as soon as the software implementations in use allow for it.