-- Ondřej Surý ond...@isc.org > On 22 Mar 2018, at 17:27, Paul Wouters <p...@nohats.ca> wrote: > > On Thu, 22 Mar 2018, Ondřej Surý wrote: > >> https://github.com/oerdnj/draft-ietf-dnsop-algorithm-update >> >> Pull/Merge Requests, Issues, etc. are welcome. >> >> The most of the work done between the last version and this is: >> >> * Removal of MUST-, SHOULD+, etc… >> * Upgrade the urgency of deploying ECC >> * Separate operational recommendations for default algorithm to >> ECDSAP256SHA256 >> * Deprecation of ECC-GOST (that actually happened elsewhere, so we reflect >> it here) > > As for the DS algorithm 4, SHA-384 does not really add anything over > SHA-256, so it would be good to move that further down from MAY to MUST > NOT on the creation (not validation) part. I'm afraid the current > listing might appear as "it is MAY now but will become MUST in the > future". > > Based on Viktor's data, the ratio of SHA256 to SHA384 is 500:1 with > only 8649 DS SHA384 records. Even GOST which is MUST NOT has 4x more > DS records deployed with 36388 records.
Sounds good to me, you already have access to the repo :). > I think this text also needs an update: > > RSASHA1 and RSASHA1-NSEC3-SHA1 are widely deployed, although zones > deploying it are recommended to switch to ECDSAP256SHA256 as there is > an industry-wide trend to move to elliptic curve cryptography. > > They should switch away from SHA1 as SHA1 is being deprecated industry > wide. Even if we recommend to move away from RSA (which I'm not sure if there > is consensus on) to ECC, I would like to move them to ED25519/ED448 over > the ECDSA* variants. I don’t think this is currently feasible to do so, so we need to have a feedback from WG. > If it is too soon for that now, I would simply not > recommend moving away from RSA. And maybe make ECDSAP256SHA256 a MAY > instead of a MUST. What would be the technical/security reason for skipping ECDSA? Ondrej _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
