> On 22 May 2025, at 02:21, Ondřej Surý <[email protected]> wrote: > > Oh, I see. > > The must-not-gost is correct as GOST R 34.11-94 is a hash algorithm and > ECC-GOST is signing algorithm. > > Tim, the PR you’ve submitted mixed SHA-1 with RSASHA-1. The first paragraph > should say: > > > The SHA-1 algorithm MUST NOT be used when creating DS records. … > > The second paragraph should talk about the signing algorithm. > > A guidance should be provided for Validating resolvers what to do if there’s > only DS SHA-1 algorithm. I would say “hard fault”, but it’s for the WG to > decide.
You just behave as if you don’t support any other DS digest type. The zone gets treated as insecure. > Sorry for the formatting, copying text from the draft on iPhone does that and > I don’t know how to switch back to plain text on my phone. > > Ondrej > -- > Ondřej Surý (He/Him) > >> On 21. 5. 2025, at 18:04, Ondřej Surý <[email protected]> wrote: >> >> This still speaks only about RSASHA-1 and RSASHA1-NSEC3-SHA1 and it doesn’t >> address SHA-1 algorithm for DS. >> >> The Section 5 modifies both tables. >> >> Ondrej >> -- >> Ondřej Surý (He/Him) >> >>> On 21. 5. 2025, at 16:57, Tim Wicinski <[email protected]> wrote: >>> >>> Wes/Warren >>> >>> I made a stab at aligning section 2 of must-not-sha1 with section 2 of >>> must-not-gost. >>> >>> https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-must-not-sha1/pull/11 >>> >>> If this is useful >>> >>> tim >>> >>> >>> On Wed, May 21, 2025 at 9:49 AM Ondřej Surý <[email protected]> wrote: >>> Oh, absolutely, great idea. Consistency is great. >>> >>> Ondrej >>> -- >>> Ondřej Surý (He/Him) >>> >>>> On 21. 5. 2025, at 15:47, Tim Wicinski <[email protected]> wrote: >>>> >>>> >>>> wearing no hats >>>> >>>> >>>> Ondrej >>>> >>>> >>>> On Wed, May 21, 2025 at 7:35 AM Ondřej Surý <[email protected]> wrote: >>>> Hi Wes and Warren, >>>> >>>> while this is not crucial for the draft to progress, but since you are >>>> making >>>> changes to it, it might be worthwhile to raise this now rather than later. >>>> >>>> The Section 2 mentions DNSKEY and RRSIGs, but there's no mention of SHA-1 >>>> in DS until "Section 5 IANA Considerations". >>>> >>>> >>>> Another idea is to make Section 2 of must-not-sha1 similar to Section 2 of >>>> must-not-gost. >>>> They are almost identical in nature except for the missing DS record in >>>> must-not-sha1. >>>> >>>> I would think the consistency would be useful to the various readers, and >>>> good examples in the future, but I can always be mistaken. >>>> >>>> >>>> tim >>>> >>> _______________________________________________ >>> DNSOP mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >> _______________________________________________ >> DNSOP mailing list -- [email protected] >> To unsubscribe send an email to [email protected] > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
