Roman Danyliw via Datatracker <[email protected]> writes: Thanks for the comments Roman. Responses inline.
> ** Section 1 and 2. > > -- Section 1. “Further, support for validating SHA-1 based signatures has been > removed from some systems.” > > -- Section 2. “Validating resolver implementations MUST continue to support > validation using these algorithms as they are diminishing in use but still > actively in use for some domains as of this publication.” > > Are these text snippets saying that implementation have already chosen to drop > SHA-1 support, despite this draft saying it should not be? Yes. Some RedHat systems, in particular, have already dropped support (which upset a lot of people). > ** Section 1. > As adequate > alternatives exist, the use of SHA-1 is no longer advisable. > > Doesn’t Section 2 say something much stronger than “no longer advisable”. It > uses “MUST NOT”. Yes, but this is a justification text explaining *why* not mandating it (and mandating it in two places seems overkill). > ** Section 3. > This document deprecates the use of RSASHA1 and RSASHA1-NSEC3-SHA1 > signatures since they are no longer considered to be secure. > > Isn’t this imprecise? The prior seems to leave wide latitude to validating > resolvers to continue to validate SHA1-based signatures. Maybe > > NEW (roughly) > This document deprecates the use of RSASHA1 and RSASHA1-NSEC3-SHA1 signatures > in new DNSSEC records since these algorithms are no longer considered to be > secure. How's this: This document deprecates the use of RSASHA1 and RSASHA1-NSEC3-SHA1 for DNSSEC Delegation and DNSSEC Signing since these algorithms are no longer considered to be secure. -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
