The IANA DNSSEC parameter registry lists RSAMD5 (algorithm 1) as
deprecated, and refers to [RFC3110], [RFC4034] which state that
RSAMD5 is "NOT RECOMMENDED".
https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1
"Survey says" that RSAMD5 is not only deprecated, but is in fact
no longer used, by any of the ~9 million DNSSEC-delegated domains
I've been able to find on the public Internet:
https://lists.dns-oarc.net/pipermail/dns-operations/2018-December/018146.html
It only has the effect of breaking two domains that have only RSAMD5
in the DS RRset, but have no DNSKEY RRs. 11 domains, have working
keys for algorithms 5, 7, 8 or 13 with a DS RRset that also lists
an orphaned algorithm 1 with no RSAMD5 keys at the zone apex. A
further 18 domains have RSAMD5 DS RRs, but are simply out of service
even sans validation.
This suggests to me that the deprecation of RSAMD5 is a stunning
success, it is gone, and perhaps it is time to say so:
* Authoritative zones SHOULD NOT publish RSAMD5 DS RRs or
DNSKEY records.
* Validating resolvers MUST ignore RSAMD5 DS RRs and DNSKEY
RRs, and MUST treat any zones with only ignored or unsupported
DS records as "insecure".
Perhaps we could be bolder and say the same for DSA (algorithm 3),
this too is largely gone, but there's a cluster of ~4700 ".me"
domains with DSA keys. It is not clear that enabling those domains
to validate merits ongoing support for algorithm 3. So we might
also add DSA to the list, encouraging resolver implementations to
drop support for both RSAMD5 and DSA.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
