[DNSOP] Genart last call review of draft-ietf-dnsop-rfc2845bis-06

Reviewer: Jouni Korhonen Review result: Ready I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more informat

Re: [DNSOP] [secdir] Secdir review of draft-ietf-dnsop-rfc2845bis-06

On Tue, Jan 21, 2020 at 12:31 PM Tony Finch wrote: > > Warren Kumari wrote: > > > > I don't think that it is realistic to deprecate SHA-1 in TSIG for the > > foreseeable future, but stronger recommendations about moving to > > SHA-256 might be in order. > > Yes. > > > There is already some text:

Re: [DNSOP] [secdir] Secdir review of draft-ietf-dnsop-rfc2845bis-06

Warren Kumari wrote: > > I don't think that it is realistic to deprecate SHA-1 in TSIG for the > foreseeable future, but stronger recommendations about moving to > SHA-256 might be in order. Yes. > There is already some text: For context, the preceding paragraph says: The only message diges

Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec

On 1/21/20 6:03 PM, Tony Finch wrote: > Matthijs Mekking wrote: > >> I am not sure how they executed the algorithm rollover precisely. >> Particularly, were there ever two DS records in the root zone with >> different algorithms for these zones? > > I can answer that :-) > > Algorithm rollov

Re: [DNSOP] [secdir] Secdir review of draft-ietf-dnsop-rfc2845bis-06

[ - secdir for clutter, +DNSOP ] Hello DNSOPers, I'm looking for some advice / discussion... Below is the security directorate review of https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc2845bis/ (posted to the secdir list) -- normally I'd just start IESG Eval and let the security ADs review

Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec

Matthijs Mekking wrote: > I am not sure how they executed the algorithm rollover precisely. > Particularly, were there ever two DS records in the root zone with > different algorithms for these zones? I can answer that :-) Algorithm rollovers have to be double-KSK rollovers because DS records h

Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec

Shumon, On 1/21/20 4:05 PM, Shumon Huque wrote: > Hi Matthijs, > > Sorry, I did miss your original note on this point. Now that I've seen > it, I'm copying back dnsop@ietf.org to see if > there are other comments on your proposal. > > When the Algorithm Considerations se

Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec

Hi Shumon, On Tue, Jan 21, 2020 at 10:05:56AM -0500, Shumon Huque wrote: > Hi Matthijs, > > Sorry, I did miss your original note on this point. Now that I've seen it, > I'm copying back dnsop@ietf.org to see if there are other comments on your > proposal. > > When the Algorithm Considerations se

Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec

Shumon, You're asking the right questions: This also begs the question: should we (in another document) update RFC 4035, Section 2 (last paragraph) to relax or eliminate the rule, if in fact it is being ignored? Frankly, I've always been a bit perplexed by this text, since it has no accompanying

Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec

Hi Matthijs, Sorry, I did miss your original note on this point. Now that I've seen it, I'm copying back dnsop@ietf.org to see if there are other comments on your proposal. When the Algorithm Considerations section was originally written, I intentionally did not prohibit the use of multiple algor