On Fri, 2022-08-12 at 08:48 -0700, Wes Hardaker wrote: > This document retires the use of SHA-1 within DNSSEC
(Half-echoing what Mark Andrews said elsewhere in the thread.) This document fails to retire the use of SHA-1 in NSEC3, and is thus, given its current title, incomplete. We can do several things here: (1) figure out the NSEC3 upgrade path [as Mark also says, this likely means burning ~10 algorithm numbers - plus years of pain] (2) improve this document so that it clearly avoids touching NSEC3 (3) Obsoletes: RFC5155 While 3 may seem tongue in cheek, I am not entirely kidding. I do see it's not the most likely outcome :-) (2, then 1, perhaps?) Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
