In your letter dated Wed, 13 Aug 2025 15:16:17 -0700 you wrote: >The intent was that implementations must still support it, because it >won't disappear over night. And resolver operators must not ever use >it, but we know some will ignore that for a while. IE, the shift for >deployments is not instantaneous.
Looking at this from a software point of view, the draft says "Validating resolver implementations ([RFC9499] section 10) MUST continue to support validation using these algorithms as they are diminishing in use but still actively in use for some domains as of this publication." That is fine. Then, for software the next question is about defaults. Does software ship with support for those algorithms enabled or disabled? Is any of the two mandated? If enabled is allowed then there is no change to (our) exiting software. However that means that every operator would have to manually disable support to comply with the 'MUST treat RSASHA1 and RSASHA1-NSEC3-SHA1 DS records as insecure.' If disabled is mandated, then that would be breaking change for software that currently ships with support for SHA1 enabled. Which would be weird in the line of the following text in the draft: "as they are diminishing in use but still actively in use for some domains as of this publication". That may just break people's use of TLSA or SSHFP records. So from a software point of view, I don't think disabled can be mandated for existing software. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
