> 2. Deprecating SHA-1 from DNSSEC Signatures and Delegation RRs [snip]
> Validating resolvers MUST
> treat RSASHA1 and RSASHA1-NSEC3-SHA1 DS records as insecure. If no
> other DS records of accepted cryptographic algorithms are available,
> the DNS records below the delegation point MUST be treated as
> insecure.
[snip]
> Validating
> resolver implementations ([RFC9499] section 10) MUST continue to
> support validation using these algorithms as they are diminishing in
> use but still actively in use for some domains as of this
> publication. Because of RSASHA1 and RSASHA1-NSEC3-SHA1's non-zero
> use, deployed validating resolvers MAY be configured to continue to
> validate RRSIG records that use these algorithms. Validating
> resolvers deployed in more security strict environments MAY treat
> these RRSIG records as an unsupported algorithm.
Do the above two paragraphs not contradict each other on whether
validation should be performed for RSASHA1 and RSASHA1-NSEC3-SHA1?
E.g., if a DS RRset exists with a single DS RR with Algorithm=RSASHA1
mapping to a DNSKEY in the child zone with Algorithm=RSASHA1, must the
child zone be considered insecure, or could validation be attempted with
RSASHA1?
Mukund
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
