Hi Wes and Warren, while this is not crucial for the draft to progress, but since you are making changes to it, it might be worthwhile to raise this now rather than later.
The Section 2 mentions DNSKEY and RRSIGs, but there's no mention of SHA-1 in DS until "Section 5 IANA Considerations". I would suggest to inject either Section 3 with something like: -- cut here -- ## Deprecating SHA-1 use in Delegation Signer records The SHA-1 algorithm (Value 1) MUST NOT be used to create DS records. Validating resolver implementations MUST continue to support validation using these algorithms as they are diminishing in use but still actively in use for some domains as of this publication. -- cut here -- (Or Validating resolver implementations MUST NOT or whatever the plan is right now...) Or just mash this into the Section 2. I think we are missing the advice for the implementors about the SHA-1 DS. P.S.: It is also completely possible that this has been discussed before and I missed this or that I am completely confused and out of my mind. Cheers, Ondrej On Wed, May 21, 2025, at 00:49, [email protected] wrote: > Internet-Draft draft-ietf-dnsop-must-not-sha1-07.txt is now available. It is a > work item of the Domain Name System Operations (DNSOP) WG of the IETF. > > Title: Deprecating the use of SHA-1 in DNSSEC signature algorithms > Authors: Wes Hardaker > Warren Kumari > Name: draft-ietf-dnsop-must-not-sha1-07.txt > Pages: 5 > Dates: 2025-05-20 > > Abstract: > > This document deprecates the use of the RSASHA1 and > RSASHA1-NSEC3-SHA1 algorithms for the creation of DNS Public Key > (DNSKEY) and Resource Record Signature (RRSIG) records. > > It updates RFC4034 and RFC5155 as it deprecates the use of these > algorithms. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-must-not-sha1/ > > There is also an HTMLized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-must-not-sha1-07 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-must-not-sha1-07 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- Ondřej Surý (He/Him) [email protected]
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
