On Tue, 28 Feb 2017, Roy Arends wrote:
We can't stuff PDF prefixes into this,
We don’t need to.
there are a lot less bytes
for an attacker to play with.
A CNAME chain will give you plenty of bytes to futz with.
None of the SHA1 hases we use are covering a chain of records.
Please also refrain from using MUST- SHOULD+ and SHOULD-.
For this SHA1 case or in general?
In general.
I disagree then. Did you read the motivation of why we use
those terms to clarify that we expect an algorithm to be
promoted or demoted in a future update?
I'd say we could update the DNSSEC
Signing entry from MUST- to SHOULD NOT
Good. That is exactly my request.
This is still only meaningful if the signer software vendors
in general agree with this. If they will just ignore this
document, then I feel there isn't much point in proceeding
with it.
but I would leave SHA1 for
DNSSEC validation at MUST-.
I’d say you have to update that as well to SHOULD NOT.
That is just unreasonable. Do you want half the the DNSSEC
signed zones in the world to go insecure or bogus?
Migration should be done responsibly.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
