Meta comment: As always, thank you RFC Editor!
On Thu, Oct 30, 2025 at 9:09 PM, <[email protected]> wrote: > Authors, > > While reviewing this document during AUTH48, please resolve (as necessary) > the following questions, which are also in the source file. > > 1) <!--[rfced] We have updated the short title that spans the header of > the PDF file to more closely match the document title. Please let us know > of any objection. > > Original: > MUST NOT DNSSEC with SHA-1 > > Current: > Deprecating SHA-1 in DNSSEC Signature Algorithms > --> > LGTM++! > 2) <!-- [rfced] Please insert any keywords (beyond those that appear in > the title) for use on https://www.rfc-editor.org/search. > --> > DNS, rollover, agility, algorithm, SHA1 Shortcut: Thank you very much for all of the below proposals — I have reviewed and approved all, and I approve publication, etc.. W > 3) <!--[rfced] FYI: The acronyms appear to be mismatched with the > expansions, so we switched them accordingly as shown below. > > Original: > Since then, multiple other algorithms with stronger cryptographic strength > have become widely available for DS records and for Resource Record > Signature (DNSKEY) and DNS Public Key (RRSIG) records [RFC4034]. > > Current: > Since then, multiple other algorithms with stronger cryptographic strength > have become widely available for DS records and for Resource Record > Signature (RRSIG) and DNS Public Key (DNSKEY) records [RFC4034]. > --> > > 4) <!--[rfced] Should the names of the IANA registries be included here > for clarity? > > Original: > Operators are encouraged to consider switching to one of the recommended > algorithms listed in the [DNSKEY-IANA] and [DS-IANA] tables, respectively. > > Perhaps: > Operators are encouraged to consider switching to one of the recommended > algorithms listed in the "DNS Security Algorithm Numbers" [DNSKEY-IANA] and > "Digest Algorithms" [DS-IANA] registries, respectively. > --> > > 5) <!--[rfced] Is it correct that "DNSSEC Delegation" is uppercase and > "DNSSEC signing" is lowercase in this sentence? In the companion document > (draft-ietf-dnsop-rfc8624-bis-13 / RFC-to-be 9904), we note that "DNSSEC > signers" is used in the running text and that > "DNSSEC Delegation" is uppercase as it's only used in the name of the > columns and IANA registry. > > Original: > This document deprecates the use of RSASHA1 and RSASHA1-NSEC3-SHA1 for > DNSSEC Delegation and DNSSEC signing since these algorithms are no longer > considered to be secure. > --> > > 6) <!--[rfced] May we refer to the "tables" as "IANA registries" for > clarity? Also, would "use" be clearer than "roll to"? > > Original: > Zone owners currently making use of SHA-1 based algorithms should > immediately roll to algorithms with stronger cryptographic algorithms, such > as the recommended algorithms in the [DNSKEY-IANA] and [DS-IANA] tables. > > Perhaps: > Zone owners currently making use of SHA-1-based algorithms should > immediately use algorithms with stronger cryptographic algorithms, such as > the recommended algorithms in the IANA registries > [DNSKEY-IANA] [DS-IANA]. > --> > > 7) <!--[rfced] Per IANA's protocol action note, should the IANA section be > updated as follows to capture all of IANA's updates to the entries? > > Current: > IANA has set the "Use for DNSSEC Delegation" column of the "Digest > Algorithms" registry [DS-IANA] [RFC9904] to MUST NOT for SHA-1 (1) and has > added this document as a reference to the entry. > > IANA has set the "Use for DNSSEC Signing" column of the "DNS Security > Algorithm Numbers" registry [DNSKEY-IANA] [RFC9904] to MUST NOT for the > RSASHA1 (5) and RSASHA1-NSEC3-SHA1 (7) algorithms and has added this > document as a reference for these entries. > > All other columns should remain as currently specified. > > Perhaps: > IANA has updated the SHA-1 (1) entry in the "Digest Algorithms" registry > [DS-IANA] [RFC9904] as follows and has added this document as a reference > for the entry: > > Value: 1 > Description: SHA-1 > Use for DNSSEC Delegation: MUST NOT > Use for DNSSEC Validation: RECOMMENDED > Implement for DNSSEC Delegation: MUST NOT > Implement for DNSSEC Validation: MUST > > IANA has updated the RSASHA1 (5) and RSASHA1-NSEC3-SHA1 (7) algorithm > entries in the "DNS Security Algorithm Numbers" registry > [DNSKEY-IANA] [RFC9904] as follows and has added this document as a > reference for these entries: > > Number: 5 > Description: RSA/SHA-1 > Mnemonic: RSASHA1 > Zone Signing: Y > Trans. Sec.: Y > Use for DNSSEC Signing: MUST NOT > Use for DNSSEC Validation: RECOMMENDED > Implement for DNSSEC Signing: NOT RECOMMENDED > Implement for DNSSEC Validation: MUST > > Number: 7 > Description: RSASHA1-NSEC3-SHA1 > Mnemonic: RSASHA1-NSEC3-SHA1 > Zone Signing: Y > Trans. Sec.: Y > Use for DNSSEC Signing: MUST NOT > Use for DNSSEC Validation: RECOMMENDED > Implement for DNSSEC Signing: NOT RECOMMENDED > Implement for DNSSEC Validation: MUST > --> > > 8) <!-- [rfced] Because this document updates RFCs 4034 and 5155, please > review the errata reported for each > (<https://www.rfc-editor.org/errata/rfc4034> and > <https://www.rfc-editor.org/errata/rfc5155>) and let us know if you > confirm our opinion that none of them are relevant to the content of this > document. > --> > > 9) <!-- [rfced] Please review the "Inclusive Language" portion of the > online Style Guide <https://www.rfc-editor.org/styleguide/part2/ > #inclusive_language> and let us know if any changes are needed. Updates > of this nature typically result in more precise language, which is helpful > for readers. > > Note that our script did not flag any words in particular, but this should > still be reviewed as a best practice. > --> > > Thank you. > > Karen Moore > RFC Production Center > > On Oct 30, 2025, at 6:07 PM, RFC Editor via auth48archive <auth48archive@ > rfc-editor.org> wrote: > > *****IMPORTANT***** > > Updated 2025/10/30 > > RFC Author(s): > -------------- > > Instructions for Completing AUTH48 > > Your document has now entered AUTH48. Once it has been reviewed and > approved by you and all coauthors, it will be published as an RFC. If an > author is no longer available, there are several remedies available as > listed in the FAQ (https://www.rfc-editor.org/faq/). > > You and you coauthors are responsible for engaging other parties > (e.g., Contributors or Working Group) as necessary before providing your > approval. > > Planning your review > --------------------- > > Please review the following aspects of your document: > > * RFC Editor questions > > Please review and resolve any questions raised by the RFC Editor that have > been included in the XML file as comments marked as follows: > > <!-- [rfced] ... --> > > These questions will also be sent in a subsequent email. > > * Changes submitted by coauthors > > Please ensure that you review any changes submitted by your coauthors. We > assume that if you do not speak up that you agree to changes submitted by > your coauthors. > > * Content > > Please review the full content of the document, as this cannot change once > the RFC is published. Please pay particular attention to: > - IANA considerations updates (if applicable) > - contact information > - references > > * Copyright notices and legends > > Please review the copyright notice and legends as defined in RFC 5378 and > the Trust Legal Provisions > (TLP – https://trustee.ietf.org/license-info). > > * Semantic markup > > Please review the markup in the XML file to ensure that elements of > content are correctly tagged. For example, ensure that <sourcecode> and > <artwork> are set correctly. See details at > <https://authors.ietf.org/rfcxml-vocabulary>. > > * Formatted output > > Please review the PDF, HTML, and TXT files to ensure that the formatted > output, as generated from the markup in the XML file, is reasonable. Please > note that the TXT will have formatting limitations compared to the PDF and > HTML. > > Submitting changes > ------------------ > > To submit changes, please reply to this email using ‘REPLY ALL’ as all the > parties CCed on this message need to see your changes. The parties include: > > * your coauthors > > * [email protected] (the RPC team) > > * other document participants, depending on the stream (e.g., IETF Stream > participants are your working group chairs, the responsible ADs, and the > document shepherd). > > * [email protected], which is a new archival mailing list to > preserve AUTH48 conversations; it is not an active discussion list: > > * More info: > https://mailarchive.ietf.org/arch/msg/ietf-announce/ > yb6lpIGh-4Q9l2USxIAe6P8O4Zc > > * The archive itself: > https://mailarchive.ietf.org/arch/browse/auth48archive/ > > * Note: If only absolutely necessary, you may temporarily opt out of the > archiving of messages (e.g., to discuss a sensitive matter). If needed, > please add a note at the top of the message that you have dropped the > address. When the discussion is concluded, [email protected] > will be re-added to the CC list and its addition will be noted at the top > of the message. > > You may submit your changes in one of two ways: > > An update to the provided XML file > — OR — > An explicit list of changes in this format > > Section # (or indicate Global) > > OLD: > old text > > NEW: > new text > > You do not need to reply with both an updated XML file and an explicit > list of changes, as either form is sufficient. > > We will ask a stream manager to review and approve any changes that seem > beyond editorial in nature, e.g., addition of new text, deletion of text, > and technical changes. Information about stream managers can be found in > the FAQ. Editorial changes do not require approval from a stream manager. > > Approving for publication > -------------------------- > > To approve your RFC for publication, please reply to this email stating > that you approve this RFC for publication. Please use ‘REPLY ALL’, as all > the parties CCed on this message need to see your approval. > > Files > ----- > > The files are available here: > https://www.rfc-editor.org/authors/rfc9905.xml > https://www.rfc-editor.org/authors/rfc9905.html > https://www.rfc-editor.org/authors/rfc9905.pdf > https://www.rfc-editor.org/authors/rfc9905.txt > > Diff file of the text: > https://www.rfc-editor.org/authors/rfc9905-diff.html https://www. > rfc-editor.org/authors/rfc9905-rfcdiff.html (side by side) > > Diff of the XML: > https://www.rfc-editor.org/authors/rfc9905-xmldiff1.html > > Tracking progress > ----------------- > > The details of the AUTH48 status of your document are here: https://www. > rfc-editor.org/auth48/rfc9905 > > Please let us know if you have any questions. > > Thank you for your cooperation, > > RFC Editor > > -------------------------------------- > RFC9905 (draft-ietf-dnsop-must-not-sha1-10) > > Title : Deprecating the use of SHA-1 in DNSSEC signature algorithms > Author(s) : W. Hardaker, W. Kumari > WG Chair(s) : Benno Overeinder, Ond?ej Surý > > Area Director(s) : Mohamed Boucadair, Mahesh Jethanandani > > -- > auth48archive mailing list -- [email protected] To unsubscribe > send an email to [email protected] >
-- auth48archive mailing list -- [email protected] To unsubscribe send an email to [email protected]
