On Fri, 15 Feb 2019, Mats Dufberg wrote:
The table in section 3.3 ("DS and CDS Algorithms") of the draft states that SHA-1 is "MUST NOT" for
"DNSSEC Delegation" but in the narrative text under the table it states "SHA-1 [...] is NOT RECOMMENDED
for use in generating new DS and CDS records."
The two statements should be consistent in the final RFC.
Done, thanks for spotting that.
https://tools.ietf.org/rfcdiff?url2=draft-ietf-dnsop-algorithm-update-06.txt
SHA-1 is still in wide use for DS records, so validators MUST
- implement validation, but it is NOT RECOMMENDED for use in generating
- new DS and CDS records. (See Operational Considerations for caveats
- when upgrading from SHA-1 to SHA-256 DS Algorithm.)
+ implement validation, but it MUST NOT be used to generate new DS and
+ CDS records. (See Operational Considerations for caveats when
+ upgrading from SHA-1 to SHA-256 DS Algorithm.)
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop