I would propose not removing support for SHA1 based signatures. But
maybe renaming the algorithm name to DEPRECATED-RSASHA1. It would
require some change from the user and he or she could not ignore there
is some change. But for some intentional usage, such as signing
rootcanary.org test subdomains, it would still work.
Especially if needed for rolling algorithms in the zone, it would allow
signing the zone as before. Remove it only after it has been long enough
clearly marked deprecated, minimally in a new minor version.
On 02/05/2024 10:37, Philip Homburg wrote:
In your letter dated Thu, 2 May 2024 10:27:17 +0200 you wrote:
I'm not following what breaks based on the wording I suggested, and I'm not su
re why you keep bringing that up. :-)
Let's say I sign my zones using some scripts and ldns-signzone. This
has been working for years so is now on autopilot.
Then an RFC gets published that signers MUST NOT support signing using SHA1,
so ldns removes those algorithms. Then a software update brings the new
version of ldns my system. Now an unsigned zone gets deployed, and the whole
zone is considered bogus by validators who see valid DS record but not a
corresponding signed zone.
My reading is that this is what the draft tries to do.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
