It appears that Philip Homburg <pch-dnso...@u-1.phicoh.com> said: >In your letter dated Thu, 2 May 2024 10:27:17 +0200 you wrote: >>I'm not following what breaks based on the wording I suggested, and I'm not su >>re why you keep bringing that up. :-) > >Let's say I sign my zones using some scripts and ldns-signzone. This >has been working for years so is now on autopilot. > >Then an RFC gets published that signers MUST NOT support signing using SHA1, >so ldns removes those algorithms. Then a software update brings the new >version of ldns my system. Now an unsigned zone gets deployed, ....
I use ldns-signzone in my DNS toaster, and if I had SHA1 keys and it stopped signing with the keys I have, updates would crash and nothing would get updated in my DNS. I would certainly notice and would not be happy. On the other hand, if it issued annoying warning messages every time it used a SHA1 key, I'd eventually notice and probably rotate the keys. I'm with Peter, I do not see a MUST NOT as requiring vendors or operators to do stupid stuff. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
