On Thu, May 2, 2024 at 11:38 AM John R Levine <jo...@taugh.com> wrote:
> I think we're agreeing that it would be a good idea to continue to > discourage SHA1, but not a good idea to surprise people by making it > suddenly stop working, a la Redhat. > Yep. Conceptually I agree with that. I also realized its inherent in RFC 8624 that it only makes sense if interpreted as guidance to those developing the software and tools that implement DNSSEC signing and/or validation. A DNS operator is only going to sign a specific zone with a single algorithm except during an algorithm roll. And there's no choice of algorithms when deploying a validating resolver. On any platform I've ever encountered, for the most part turning DNSSEC validation on or off is a binary choice. The algorithms that are or aren't supported are built into the software. With that noted, the three drafts are suitable for working group adoption. I support the idea of expressing the table in RFC 8624 in the IANA registry and outlining that future recommendation changes can be applied there in a consolidated location. I do think that should be the sole focus of that draft and the rest of the text and the table of initial recommendations should reflect the current RFC 8624 text. Then the discussion of the other two drafts can focus on whether the recommendations in the current RFC 8624 table should be changed. Thanks, Scott
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
