On 5/2/24 10:19, Philip Homburg wrote:
In your letter dated Thu, 2 May 2024 09:58:43 +0200 you wrote:
Right. Their policy may be "it's compliant and it works, so why roll?". It'll
be easier to push those SHA-1 signers to switch if one can tell them "look, no
w you're not compliant anymore".
So basically we need a BCP: operators of zones MUST NOT sign their zones
with algorithms 5 and 7. If they currently do, they need to move away
from those algorithms as quickly as possible.
I somewhat agree that this could also be done as a BCP. However, a MUST NOT
there and a MUST NOT elsewhere is still a MUST NOT, and I'd prefer them to be
in the same place as all the other algorithm recommendations.
To me, that would sound better then trying to break protocols to get people
to move.
I'm not following what breaks based on the wording I suggested, and I'm not
sure why you keep bringing that up. :-)
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
