Fujiwara-san, I don’t exactly understand why such table would be better than existing text that say:
> 3.2. DNSKEY Algorithm Recommendation > > Operation recommendation for new and existing deployments. > > Due to industry-wide trend to move to elliptic curve cryptography, > the ECDSAP256SHA256 is RECOMMENDED for use by new DNSSEC deployments, > and users of RSA based algorithms SHOULD upgrade to ECDSAP256SHA256. I believe this is clear enough. As for the second column, I am strongly opposed to saying what would the recommendation be in ‘2 years’. We have no idea about the deployment of Ed25519 resolvers[*], neither about RSA. But this is a type of document that needs to be regularly refreshed when needed, so we can issue another update in 2-5 years... Ondrej * - I also suspect that saying “usable” is too optimistic given that support for Ed25519 requires new OpenSSL 1.1.0 and the general glacier-speed deployments of new software. -- Ondřej Surý [email protected] > On 15 Oct 2018, at 17:04, [email protected] wrote: > > WGLC comment to draft-ietf-dnsop-algorithm-update-02 > > Section 3.2 is "recommendations for operators". > > There is texts that discuss ECDSAP256SHA256 only in section 3.2. > However, RSASHA256 is still usable. > Please add text about other algorithms. > if there is a table similar to section 3.1, it will help operators. > > For example, > choice of | choice of > sigining algorithm (now) | sigining algorithm (2 years Later) > ---------------------------------------------------------------------------- > RSASHA1* MUST NOT | MUST NOT > RSASHA256 usable | usable/consider change to EC*/Ed* > ECDSAP256* usable | usable > Ed25519 MAY | usable > > > Regards, > > -- > Kazunori Fujiwara, JPRS <[email protected]> > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
