On Mon, Apr 11, 2016 at 03:15:47PM -0400, Paul Wouters wrote:
> Based on the above stats, I'd still prefer it to go away completely.
I have no objection to eliminating it from signers, and it's okay
with me to leave it optional for validators, but that puts it to
the level of MAY, not MUST NOT. I don't think it should go to MUST
NOT unless merely *being able* to validate MD5 signatures is itself
dangerous, and I don't believe that's the case.
> MUST- means you _must_ implement it, but it is expected to go to a lower
> level in the future. The next revision of the doc could very well leave
> it at MUST- if we don't see people moving to better algorithms. I'm
> still somewhat optimistic that if popular signing software such as
> opendnssec implements algorithm rollover, we might actually see many
> migrations from RSASHA1{NSEC3} to RSASHA256.
Yes, I understood the meaning, but I have no hope or expectation that its
status (again, with respect to validators, not necessarily signers) will
change in any plausible near future. Call it MUST- in some future revision
when we've seen evidence of a switch taking place; hoping for it isn't
enough.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
