Hi, I am quite confused as SHA-512 is not standardized for use in DS records:
https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml I believe this change should be rejected until (and if) SHA-512 is standardized to use in DS records. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 16. 10. 2024, at 14:45, RFC Errata System <rfc-edi...@rfc-editor.org> > wrote: > > The following errata report has been submitted for RFC8624, > "Algorithm Implementation Requirements and Usage Guidance for DNSSEC". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid8144 > > -------------------------------------- > Type: Technical > Reported by: Robert Wagner <rwag...@tesla.net> > > Section: 3.3 > > Original Text > ------------- > This document updates the IANA registry "Delegation Signer (DS) Resource > Record (RR) Type Digest Algorithms". The registry has been updated by > the following table from section 3.3: > > +--------+-----------------+-------------------+-------------------+ > | Number | Mnemonics | DNSSEC Delegation | DNSSEC Validation | > +--------+-----------------+-------------------+-------------------+ > | 0 | NULL (CDS only) | MUST NOT [*] | MUST NOT [*] | > | 1 | SHA-1 | MUST NOT | MUST | > | 2 | SHA-256 | MUST | MUST | > | 3 | GOST R 34.11-94 | MUST NOT | MAY | > | 4 | SHA-384 | MAY | RECOMMENDED | > +--------+-----------------+-------------------+-------------------+ > > > Corrected Text > -------------- > This document updates the IANA registry "Delegation Signer (DS) Resource > Record (RR) Type Digest Algorithms". The registry has been updated by > the following table from section 3.3: > > +--------+-----------------+-------------------+-------------------+ > | Number | Mnemonics | DNSSEC Delegation | DNSSEC Validation | > +--------+-----------------+-------------------+-------------------+ > | 0 | NULL (CDS only) | MUST NOT [*] | MUST NOT [*] | > | 1 | SHA-1 | MUST NOT | MUST | > | 2 | SHA-256 | MUST | MUST | > | 3 | GOST R 34.11-94 | MUST NOT | MAY | > | 4 | SHA-384 | MAY | RECOMMENDED | > | 5 | SHA-512 | MAY | MAY | > +--------+-----------------+-------------------+-------------------+ > > > Notes > ----- > Requesting DNSSEC be allowed to fully support the > Commercial National Security Algorithm Suite 2.0 - series of hashes. > This is part of NISTs Post Quantum Cryptography effort > > Instructions: > ------------- > This erratum is currently posted as "Reported". (If it is spam, it > will be removed shortly by the RFC Production Center.) Please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > will log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC8624 (draft-ietf-dnsop-algorithm-update-10) > -------------------------------------- > Title : Algorithm Implementation Requirements and Usage > Guidance for DNSSEC > Publication Date : June 2019 > Author(s) : P. Wouters, O. Sury > Category : PROPOSED STANDARD > Source : Domain Name System Operations > Stream : IETF > Verifying Party : IESG
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
