[DNSOP] Protocol Action: 'Deprecating the use of SHA-1 in DNSSEC signature algorithms' to Proposed Standard (draft-ietf-dnsop-must-not-sha1-09.txt)
The IESG <iesg-secretary@ietf.org> Wed, 04 June 2025 15:48 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from [10.244.8.226] (unknown [104.131.183.230]) by mail2.ietf.org (Postfix) with ESMTP id DE0A730D3558; Wed, 4 Jun 2025 08:48:41 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 12.40.0
Auto-Submitted: auto-generated
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Message-ID: <174905212172.2968636.14996077042592266612@dt-datatracker-59b84fc74f-84jsl>
Date: Wed, 04 Jun 2025 08:48:41 -0700
Message-ID-Hash: LYLM2SEO3PWNFLKD7CZ4ANR6DFBRZ2XP
X-Message-ID-Hash: LYLM2SEO3PWNFLKD7CZ4ANR6DFBRZ2XP
X-MailFrom: iesg-secretary@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, dnsop-chairs@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-must-not-sha1@ietf.org, evyncke@cisco.com, rfc-editor@rfc-editor.org, tjw.ietf@gmail.com
X-Mailman-Version: 3.3.9rc6
Subject: [DNSOP] Protocol Action: 'Deprecating the use of SHA-1 in DNSSEC signature algorithms' to Proposed Standard (draft-ietf-dnsop-must-not-sha1-09.txt)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Nyds3WmMOcoFfe1RJdS4l5zh2zM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
The IESG has approved the following document: - 'Deprecating the use of SHA-1 in DNSSEC signature algorithms' (draft-ietf-dnsop-must-not-sha1-09.txt) as Proposed Standard This document is the product of the Domain Name System Operations Working Group. The IESG contact persons are Mahesh Jethanandani, Éric Vyncke and Mohamed Boucadair. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-must-not-sha1/ Technical Summary This document deprecates the use of the RSASHA1 and RSASHA1-NSEC3-SHA1 algorithms for the creation of DNSKEY and RRSIG records. It updates RFC4034 and RFC5155 as it deprecates the use of these algorithms. Working Group Summary From the shepherd's write-up: "WG consensus was solid." Document Quality Also from the shepherd's write-up: "This document is a "cleanup" document which retires a DNSSEC algorithm from use. It is clear and understandable." Moreover, the responsible AD has checked whether all valuable comments received during the IETF Last Call were addressed. Personnel The Document Shepherd for this document is Tim Wicinski. The Responsible Area Director is Éric Vyncke. IANA Note Existing entries are updated. RFC Editor Note RFC Editor Note When allocating RFC numbers for this I-D and for the related DNS drafts, please use three consecutive RFC numbers starting with draft-ietf-dnsop-rfc8624-bis, then draft-ietf-dnsop-must-not-sha1, then draft-ietf-dnsop-must-not-ecc-gost. Thanks -éric