On Wed, 21 May 2025, Paul Wouters via Datatracker wrote:
Subject: [DNSOP] Paul Wouters' Discuss on draft-ietf-dnsop-must-not-sha1-07:
(with DISCUSS and COMMENT)
Following up on myself:
I very much plan to say Yes, after one error is fixed in the document:
This document deprecates the use of RSASHA1 and RSASHA1-NSEC3-SHA1 for
DNSSEC Delegation and DNSSEC signing
I think "DNSSEC Delegation" here is wrong. That is hashing, not signing and it
does not use RSASHA1 or RSASHA1-NSEC3-SHA1 which are DNSKEY Signing algorithm
numbers and not DNSSEC Delegation Signer algorithm numbers.
The document does actually deprecate SHA-1 for the DS algorithm too, so
the only thing that needs changing is the Section 2 title that is
referring to only DNSKEY Signature Algorithms now. Maybe:
2. Deprecating SHA-1 from DNSSEC Signatures and Delegation RRs
Paul
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
