Document: draft-ietf-dnsop-must-not-sha1 Title: Deprecating the use of SHA-1 in DNSSEC signature algorithms Reviewer: Thomas Graf Review result: Has Issues
I'm assigned to do an early OPS DIR review of this document. Thanks to the authors for taking care of this. I believe the document is in good state, however I have one point for the IANA consideration section which potentially needs to be resolved. I let IANA colleagues (CCed) decide. The operational consideration section points an operator correctly to the relevant IANA DNSSEC registries. Where the IANA consideration section updates those registries according to the document intent. However there is a possible mismatch when comparing the text in the IANA consideration section of the document and the Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms registry. The registry currently lists the Digest Algorithms, their status and its document reference. There is no "Use for DNSSEC Delegation" field and "MUST NOT" appears to be not a valid status. Further it does not update the reference with this document id, which leaves the question to the operator unanswered when checking the registry why it was deprecated. Therefore I suggest the following changes in Section 5: Before IANA is requested to set the "Use for DNSSEC Delegation" field of the "Digest Algorithms" registry [DS-IANA] for SHA-1 (1) to MUST NOT. After IANA is requested to set the "Status" field of the "Digest Algorithms" registry [DS-IANA] for SHA-1 (1) to "Deprecated" and add this document as reference. I have seen IANA has performed a review on document revision -03 and did not flag this issue and without "and add this document as reference" added the document reference in the proposed changes. Best wishes Thomas _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
