So you are ready to replace SHA1 in NSEC3 and do a second algorithm renumber which is what is required to actually get rid of SHA1 or do you mean retire RSA-SHA1.
People are much too imprecise in the terminology. -- Mark Andrews > On 13 Aug 2022, at 18:50, Jim Reid <[email protected]> wrote: > > Wes, I'm all for killing SHA1. Though the mechanism might need a rethink. We > probably should have a simpler way to add/remove DNSSEC crypto algorithms. > IIRC Paul Hoffman explained the problem a year or so ago when new code points > were needed for the latest GOST algorithms: something about that could only > be done with the overkill of a Standards Track RFC. Maybe that could get > fixed and SHA1 could be its first victim? > > As for the I-D, I think it should also say validating resolvers MUST NOT use > SHA1-flavoured RRtypes for validation. ie Give SHA1 two shots to the head, > just to be sure. :-) > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
