- Although there are no more restrictions for .fi registrations, the registry still demands several extensions
- DNSSEC does not support SHA-1
The DNSSEC signing algorithm 5 - RSASHA1 (RSA/SHA-1) WILL NO LONGER BE SUPPORTED as of 13 September 2020. .Fi domain names using Algorithm 5 keys will continue to operate normally and Traficom will not remove records currently in use from the .fi root.
After the change, no new RSA/SHA-1 keys can be added. This means that another permitted algorithm must be used once the current keys are rotated out.
Why this change is being made:
The RSA/SHA-1 Algorithm is no longer considered secure.
At a later time, Algorithm 7 will also be phased out. We therefore recommend to discontinue its use. Once the change has taken effect, the supported DNSSEC signing algorithms are the following:
• Algorithm 7 - RSASHA1-NSEC3-SHA1
• Algorithm 8 - RSASHA256 (RSA/SHA-256)
• Algorithm 10 - RSASHA512 (RSA/SHA-512)
• Algorithm 13 - ECDSAP256SHA256 (ECDSA Curve P-256 with SHA-256)
The adoption of Algorithm 15 - Ed25519 is currently being considered and support for it will be available in the future.