> On 14 Aug 2022, at 04:55, Wes Hardaker <[email protected]> wrote:
>
> Something like:
>
> # Deprecating SHA-1 algorithms in DNSSEC
>
> The SHA-1 {{RFC3685}} algorithm MUST NOT be used when creating DS records.
> Validating resolvers MUST treat DS records as insecure. If no other DS
> records of accepted cryptographic algorithms are available, the DNS
> records below the delegation point MUST be treated as insecure.
>
> The RSASHA1 {{RFC4034}}, DSA-NSEC3-SHA1 {{RFC5155}}, and
> RSASHA1-NSEC3-SHA1 {{RFC5155}} algorithms MUST NOT be used when
> creating DNSKEY and RRSIG records. Validating resolvers MUST treat
> RRSIG records created from DNSKEY records using these algorithms as
> insecure. If no other RRSIG records of accepted cryptographic
> algorithms are available, the validating resolver MUST consider the
> associated resource records as Bogus.
Works for me Wes. Though we could lose the last sentence IMO because the
preceding one already says how SHA1 flavoured RRtypes should be treated.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
