[DNSOP] Re: [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8624-bis draft-ietf-dnsop-must-not-ecc-gost draft-ietf-dnsop-must-not-sha1

Tue, 07 Jan 2025 10:45:30 -0800 

On Tue, 7 Jan 2025, Paul Hoffman wrote:


draft-ietf-dnsop-must-not-sha1

This document is fine as-is, with one minor nit: Appendix C should be marked 
for removal by the RFC Editor, similar to Appendix B.


I think the Title and Abstract are broken. It currently states:

        Remove SHA-1 from active use within DNSSEC

        Abstract

        This document retires the use of SHA-1 within DNSSEC.


As we are not removing SHA-1 from NSEC3, I believe the title and abtract
(and perhaps more content) should clarify that this is about removing
SHA-1 as hashing and signature algorithm.


============================================

draft-ietf-dnsop-must-not-ecc-gost

The goal of this document is fine. Some of the wording could be toned down 
because we don't actually know why the algorithms were deprecated. I heard, 
very informally, that they had a minor but real weaknesses, and their 
replacements had better security proofs. Given our lack of certainty, we should 
deprecate them only because the sponsoring government did.


Agreed. Additionally, I also don't like the phrase "from active use". Is
there passive use? Also, we are not the protocol police about usage. We
declare something obsolete or historic. We don't "pull from active use".



Section 3 might instead read:

  This document potentially increases the security of the DNSSEC
  ecosystem by deprecating algorithms that are no longer
  recommended for use.

Section 4 might instead read:

  This document removes support for ECC-GOST. Zone operators currently
  making use of ECC-GOST based algorithms should switch to algorithms
  that remain supported. DNS registries should prohibit their clients
  to upload and publish ECC-GOST based DS records.

(The reference to RFC 9499 there is confusing, so it can be eliminated.)


It might also add a note stating that it is safe for code to be removed
as there is no real world deployment of this algorithm.


Appendix C should be marked for removal by the RFC Editor, similar to Appendix 
B.



Paul W

_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

Reply via email to