Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :)
Paul Hoffman <paul.hoffman@icann.org> Thu, 09 September 2021 15:49 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88E143A19F0 for <dnsop@ietfa.amsl.com>; Thu, 9 Sep 2021 08:49:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K2Zq84LwUZPV for <dnsop@ietfa.amsl.com>; Thu, 9 Sep 2021 08:49:30 -0700 (PDT)
Received: from ppa5.dc.icann.org (ppa5.dc.icann.org [192.0.46.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4B4F3A19B8 for <dnsop@ietf.org>; Thu, 9 Sep 2021 08:49:30 -0700 (PDT)
Received: from MBX112-W2-CO-2.pexch112.icann.org (out.mail.icann.org [64.78.33.6]) by ppa5.dc.icann.org (8.16.0.43/8.16.0.43) with ESMTPS id 189FnSsb017801 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 9 Sep 2021 15:49:29 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.922.7; Thu, 9 Sep 2021 08:49:21 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0922.007; Thu, 9 Sep 2021 08:49:21 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Paul Wouters <paul@nohats.ca>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] SHA-1 DS algo in arpa. :)
Thread-Index: AQHXpY9Yfe6DA/Um1kW+ERFh9jOOkaucTryA
Date: Thu, 09 Sep 2021 15:49:21 +0000
Message-ID: <F323FF7D-0022-4A9B-9B45-1356464ABE67@icann.org>
References: <262ce7f3-fb31-172d-e920-629da9c1e681@nohats.ca>
In-Reply-To: <262ce7f3-fb31-172d-e920-629da9c1e681@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_52CD4C70-D065-4713-A3B8-A0DAED4ABED4"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-09-09_05:2021-09-09, 2021-09-09 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yZ1PJdGxKoL6SGEC_SBgl7MPVEs>
Subject: Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2021 15:49:44 -0000
On Sep 9, 2021, at 8:28 AM, Paul Wouters <paul@nohats.ca> wrote: > This is hinted strongly at in 2006: > > https://datatracker.ietf.org/doc/html/rfc4509#section-6.2 > > and even stronger via a MUST NOT in 2019's RFC 8624: > > https://datatracker.ietf.org/doc/html/rfc8624#section-3.3 RFC 8624 is implementation guidance, not deployment guidance. This WG discussed at length whether to include deployment guidance (particularly for weaker algorithms like SHA1) and concluded that we didn't want to do that. You should know this, given that you are co-editor of RFC 8624. > What's the process for requesting the SHA-1 based DS record deletation for .arpa? Did you first ask the administrators of the zone in question before sending this message to a grooup that has no administrative power over the zone? --Paul Hoffman
- [DNSOP] SHA-1 DS algo in arpa. :) Paul Wouters
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Paul Hoffman
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Paul Wouters
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Joe Abley
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Suzanne Woolf
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Warren Kumari
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Warren Kumari
- Re: [DNSOP] SHA-1 DS algo in arpa. :) Viktor Dukhovni
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Wes Hardaker