Oh shoot I see that now. Thanks for catching that. Wes I sent you an update.
I will leave the guidance part off for now, others can comment on that. thanks tim On Wed, May 21, 2025 at 12:21 PM Ondřej Surý <[email protected]> wrote: > Oh, I see. > > The must-not-gost is correct as GOST R 34.11-94 is a hash algorithm and > ECC-GOST is signing algorithm. > > Tim, the PR you’ve submitted mixed SHA-1 with RSASHA-1. The first > paragraph should say: > > > The SHA-1 algorithm MUST NOT be used when creating DS records. … > > The second paragraph should talk about the signing algorithm. > > A guidance should be provided for Validating resolvers what to do if > there’s only DS SHA-1 algorithm. I would say “hard fault”, but it’s for the > WG to decide. > > Sorry for the formatting, copying text from the draft on iPhone does that > and I don’t know how to switch back to plain text on my phone. > > Ondrej > -- > Ondřej Surý (He/Him) > > On 21. 5. 2025, at 18:04, Ondřej Surý <[email protected]> wrote: > > This still speaks only about RSASHA-1 and RSASHA1-NSEC3-SHA1 and it > doesn’t address SHA-1 algorithm for DS. > > The Section 5 modifies both tables. > > Ondrej > -- > Ondřej Surý (He/Him) > > On 21. 5. 2025, at 16:57, Tim Wicinski <[email protected]> wrote: > > > Wes/Warren > > I made a stab at aligning section 2 of must-not-sha1 with section 2 of > must-not-gost. > > https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-must-not-sha1/pull/11 > > If this is useful > > tim > > > On Wed, May 21, 2025 at 9:49 AM Ondřej Surý <[email protected]> wrote: > >> Oh, absolutely, great idea. Consistency is great. >> >> Ondrej >> -- >> Ondřej Surý (He/Him) >> >> On 21. 5. 2025, at 15:47, Tim Wicinski <[email protected]> wrote: >> >> >> >> wearing no hats >> >> >> Ondrej >> >> >> On Wed, May 21, 2025 at 7:35 AM Ondřej Surý <[email protected]> wrote: >> >>> Hi Wes and Warren, >>> >>> while this is not crucial for the draft to progress, but since you are >>> making >>> changes to it, it might be worthwhile to raise this now rather than >>> later. >>> >>> The Section 2 mentions DNSKEY and RRSIGs, but there's no mention of SHA-1 >>> in DS until "Section 5 IANA Considerations". >>> >>> >> Another idea is to make Section 2 of must-not-sha1 similar to Section 2 >> of must-not-gost. >> They are almost identical in nature except for the missing DS record in >> must-not-sha1. >> >> I would think the consistency would be useful to the various readers, and >> good examples in the future, but I can always be mistaken. >> >> >> tim >> >>> >>> _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] > >
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
