On Thu, Sep 09, 2021 at 11:28:04AM -0400, Paul Wouters wrote:
> Looks like for arpa., the DS records are:
>
> arpa. 27247 IN DS 42581 8 1
> 778606D9623F843F156E7D11ACBF815EB67AB516
> arpa. 27247 IN DS 42581 8 2
> F28391C1ED4DC0F151EDD251A3103DCE0B9A5A251ACF6E24073771D7 1F3C40F9
>
> Per our own recommendations, we should probanly ask for the SHA-1 record to
> be removed :)
Speaking of dogfood consumption, a year ago (Sep 2020) Wes and I reached
out to AMSL, suggesting algorithm rollovers to avoid use of deprecated
code points by ietf.org:
https://stats.dnssec-tools.org/explore/?ietf.org
The discussion also included Robert Sparks, Russ Housley and Jay Daley.
This ultimately stalled around questions of providing detailed guidance
to AMSL on the rollover logistics, and IIRC Wes suggested that perhaps
the right risk/reward tradeoff is for ietf.org to temporarily (a few
days) go unsigned and then deploy new keys with algorithm 13 or 8.
This too should probably be addressed, between AMSL and the relevant
interested parties...
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
