On Tue, Mar 28, 2017 at 4:41 AM, Evan Hunt wrote: > We can and should kill MD5 key generation and signing (and I'll add this to > the ticket about updating defaults in BIND) but I'm uncomfortable killing > MD5 validation until I'm sure there aren't any legacy keys floating around.
Short history of MD5 in DNSSEC: 1999: RFC 2535 makes MD5 recommended for DNSSEC 2001: RFC 3110 makes MD5 not recommended for DNSSEC 2004: RFC 3755 disallows MD5 for zone signing 2005: RFC 4034 reassures that MD5 is not recommended and must not be used for zone signing DNS software that supports MD5 for zone signing in 2017 belongs to museum. It's too late for arguments about keeping it for legacy reasons. I agree that modern validators should treat MD5 as unknown algorithm. Jan _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
