[DNSOP] Re: [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

[Petr Menšík <pemensik@redhat.com>]

I would propose not removing support for SHA1 based signatures. But 
maybe renaming the algorithm name to DEPRECATED-RSASHA1. It would 
require some change from the user and he or she could not ignore there 
is some change. But for some intentional usage, such as signing 
rootcanary.org test subdomains, it would still work.

Especially if needed for rolling algorithms in the zone, it would allow 
signing the zone as before. Remove it only after it has been long enough 
clearly marked deprecated, minimally in a new minor version.

On 02/05/2024 10:37, Philip Homburg wrote:
> In your letter dated Thu, 2 May 2024 10:27:17 +0200 you wrote:
>> I'm not following what breaks based on the wording I suggested, and I'm not su
>> re why you keep bringing that up. :-)
> Let's say I sign my zones using some scripts and ldns-signzone. This
> has been working for years so is now on autopilot.
>
> Then an RFC gets published that signers MUST NOT support signing using SHA1,
> so ldns removes those algorithms. Then a software update brings the new
> version of ldns my system. Now an unsigned zone gets deployed, and the whole
> zone is considered bogus by validators who see valid DS record but not a
> corresponding signed zone.
>
> My reading is that this is what the draft tries to do.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB