On Thu, 22 Mar 2018, Ondřej Surý wrote:
https://github.com/oerdnj/draft-ietf-dnsop-algorithm-update
Pull/Merge Requests, Issues, etc. are welcome.
The most of the work done between the last version and this is:
* Removal of MUST-, SHOULD+, etc…
* Upgrade the urgency of deploying ECC
* Separate operational recommendations for default algorithm to ECDSAP256SHA256
* Deprecation of ECC-GOST (that actually happened elsewhere, so we reflect it
here)
As for the DS algorithm 4, SHA-384 does not really add anything over
SHA-256, so it would be good to move that further down from MAY to MUST
NOT on the creation (not validation) part. I'm afraid the current
listing might appear as "it is MAY now but will become MUST in the
future".
Based on Viktor's data, the ratio of SHA256 to SHA384 is 500:1 with
only 8649 DS SHA384 records. Even GOST which is MUST NOT has 4x more
DS records deployed with 36388 records.
I think this text also needs an update:
RSASHA1 and RSASHA1-NSEC3-SHA1 are widely deployed, although zones
deploying it are recommended to switch to ECDSAP256SHA256 as there is
an industry-wide trend to move to elliptic curve cryptography.
They should switch away from SHA1 as SHA1 is being deprecated industry
wide. Even if we recommend to move away from RSA (which I'm not sure if there
is consensus on) to ECC, I would like to move them to ED25519/ED448 over
the ECDSA* variants. If it is too soon for that now, I would simply not
recommend moving away from RSA. And maybe make ECDSAP256SHA256 a MAY
instead of a MUST.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
