> 2. The document also states Because of RSASHA1 and RSASHA1-NSEC3-SHA1's > non-zero use, deployed validating resolvers MAY be configured to > continue to validate RRSIG records that use these algorithms., > which clearly conflicts with the MUST NOT above. There are two > options to fix this in a minimal way: > > 2a. Remove this requirement entirely, as it goes against the > principle of the document to stop using SHA1 (and thus treat it as > insecure). > > 2b.Change the MUST in the first sentence to SHOULD NOT so the MAY > is no longer in conflict.
Version -09 (and many previous versions) contains the following: "Validating resolver implementations ([RFC9499] section 10) MUST continue to support validation using these algorithms as they are diminishing in use but still actively in use for some domains as of this publication." It seems to me that option 2a would lead to a weird conflict where validating resolvers MUST support SHA1 and MUST NOT ever use it. It is not clear to me how "Validating resolvers MUST treat RSASHA1 and RSASHA1-NSEC3-SHA1 DS records as insecure" connects to "as they are diminishing in use but still actively in use for some domains as of this publication." _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
