Afilias' specialized technology makes Internet addresses more accessible and useful through a wide range of applications, including Internet domain registry services, Managed DNS and award-winning mobile Web services.
ICANN recently issued several communications regarding the use of SHA-1 in DNSSEC. This post addresses SHA-1 and the steps Afilias is taking to protect TLDs in our care.
SHA-1 is an encryption technology that protects DNSSEC records. The main issue is that SHA-1, which has been in broad use for over 20 years, is being superseded by upgrades (e.g. SHA-256) that are safer against newer de-cryption technologies. A recent blog post by ICANN Principal Technologist Paul Hoffman addressed this subject.
While ICANN recommends that users of SHA-1 upgrade within the next several months, ICANN’s CTO states: “note that use of SHA-1 in NSEC3 does not appear to be vulnerable to this new attack.” The Afilias implementation of SHA-1 includes NSEC3 in all of our DNSSEC signed TLDs.
Analysis by a respected security researcher, Tony Finch of the University of Cambridge states, “What prevents TLDs being vulnerable to SHAmbles is that the payload of a well-formed DS record is too small to hold enough collision blocks.”
Afilias’ experts have reviewed the potential exposure of TLDs in our care to the SHAmbles attack, and we believe that our client’s TLDs are not vulnerable to this type of attack.
Some technical specifics: Afilias’ operated and managed TLDs do not allow subdomains to insert records directly into the TLD without a delegation. Further, Afilias uses a unique public/private key pair for each TLD zones it manages, and lastly, Afilias operated and managed TLDs have separate Zone Signing Keys (ZSKs) and Key Signing Keys (KSKs).
Afilias is actively monitoring SHA-1 developments and already has plans to switch to an even higher-level encryption technology after the conclusion of comprehensive testing.