Viktor, apart from the I-D in the LC, the upcoming BIND 9.14 release will have:
* GOST removed (as it was deprecated by Russian “upstream”) * Both DSA algorithms removed (insecure) * RSAMD5 algorithm to be removed (I just finished the MR and it needs to be reviewed: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1106) Ondrej -- Ondřej Surý [email protected] > On 1 Dec 2018, at 20:51, Viktor Dukhovni <[email protected]> wrote: > > The IANA DNSSEC parameter registry lists RSAMD5 (algorithm 1) as > deprecated, and refers to [RFC3110], [RFC4034] which state that > RSAMD5 is "NOT RECOMMENDED". > > > https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 > > "Survey says" that RSAMD5 is not only deprecated, but is in fact > no longer used, by any of the ~9 million DNSSEC-delegated domains > I've been able to find on the public Internet: > > > https://lists.dns-oarc.net/pipermail/dns-operations/2018-December/018146.html > > It only has the effect of breaking two domains that have only RSAMD5 > in the DS RRset, but have no DNSKEY RRs. 11 domains, have working > keys for algorithms 5, 7, 8 or 13 with a DS RRset that also lists > an orphaned algorithm 1 with no RSAMD5 keys at the zone apex. A > further 18 domains have RSAMD5 DS RRs, but are simply out of service > even sans validation. > > This suggests to me that the deprecation of RSAMD5 is a stunning > success, it is gone, and perhaps it is time to say so: > > * Authoritative zones SHOULD NOT publish RSAMD5 DS RRs or > DNSKEY records. > > * Validating resolvers MUST ignore RSAMD5 DS RRs and DNSKEY > RRs, and MUST treat any zones with only ignored or unsupported > DS records as "insecure". > > Perhaps we could be bolder and say the same for DSA (algorithm 3), > this too is largely gone, but there's a cluster of ~4700 ".me" > domains with DSA keys. It is not clear that enabling those domains > to validate merits ongoing support for algorithm 3. So we might > also add DSA to the list, encouraging resolver implementations to > drop support for both RSAMD5 and DSA. > > -- > Viktor. > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
