On Fri, 15 Feb 2019, Mats Dufberg wrote:
The table in section 3.3 ("DS and CDS Algorithms") of the draft states that SHA-1 is "MUST NOT" for "DNSSEC Delegation" but in the narrative text under the table it states "SHA-1 [...] is NOT RECOMMENDED for use in generating new DS and CDS records."The two statements should be consistent in the final RFC.
Done, thanks for spotting that. https://tools.ietf.org/rfcdiff?url2=draft-ietf-dnsop-algorithm-update-06.txt SHA-1 is still in wide use for DS records, so validators MUST - implement validation, but it is NOT RECOMMENDED for use in generating - new DS and CDS records. (See Operational Considerations for caveats - when upgrading from SHA-1 to SHA-256 DS Algorithm.) + implement validation, but it MUST NOT be used to generate new DS and + CDS records. (See Operational Considerations for caveats when + upgrading from SHA-1 to SHA-256 DS Algorithm.) Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
