Wes, I'm all for killing SHA1. Though the mechanism might need a rethink. We probably should have a simpler way to add/remove DNSSEC crypto algorithms. IIRC Paul Hoffman explained the problem a year or so ago when new code points were needed for the latest GOST algorithms: something about that could only be done with the overkill of a Standards Track RFC. Maybe that could get fixed and SHA1 could be its first victim?
As for the I-D, I think it should also say validating resolvers MUST NOT use SHA1-flavoured RRtypes for validation. ie Give SHA1 two shots to the head, just to be sure. :-) _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
