On 5/2/24 09:42, Philip Homburg wrote:
In your letter dated Thu, 2 May 2024 09:21:29 +0200 you wrote:
In my view, it's fine to disallow signing with SHA-1-based algorithms to help
push signers towards other algorithms.
I appreciate the effort, but I'm curious what that means.
As far as I know, just about all zones that start signing are not using
SHA1 as part of the signature. There is not really an issue with new
installations. The affected algorithms have been marked as not recommended
for many years so we can assume that in just about any signer they are not
the default. The problem is with existing zones who probably have an
existing relationship with signer software.
Right. Their policy may be "it's compliant and it works, so why roll?". It'll be easier
to push those SHA-1 signers to switch if one can tell them "look, now you're not compliant
anymore".
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
