| Oh, I see.
The must-not-gost is correct as GOST R 34.11-94 is a hash algorithm and ECC-GOST is signing algorithm.
Tim, the PR you’ve submitted mixed SHA-1 with RSASHA-1. The first paragraph should say:
> The SHA-1 algorithm MUST NOT be used when creating DS records. …
The second paragraph should talk about the signing algorithm.
A guidance should be provided for Validating resolvers what to do if there’s only DS SHA-1 algorithm. I would say “hard fault”, but it’s for the WG to decide.
Sorry for the formatting, copying text from the draft on iPhone does that and I don’t know how to switch back to plain text on my phone.
Ondrej This still speaks only about RSASHA-1 and RSASHA1-NSEC3-SHA1 and it doesn’t address SHA-1 algorithm for DS.
The Section 5 modifies both tables.
Ondrej Wes/Warren
I made a stab at aligning section 2 of must-not-sha1 with section 2 of must-not-gost.
If this is useful
tim
Oh, absolutely, great idea. Consistency is great.
Ondrej Ondrej
Hi Wes and Warren,
while this is not crucial for the draft to progress, but since you are making changes to it, it might be worthwhile to raise this now rather than later.
The Section 2 mentions DNSKEY and RRSIGs, but there's no mention of SHA-1 in DS until "Section 5 IANA Considerations".
Another idea is to make Section 2 of must-not-sha1 similar to Section 2 of must-not-gost. They are almost identical in nature except for the missing DS record in must-not-sha1.
I would think the consistency would be useful to the various readers, and good examples in the future, but I can always be mistaken.
tim
|
