Fujiwara-san, I don’t exactly understand why such table would be better than existing text that say:
> 3.2. DNSKEY Algorithm Recommendation > > Operation recommendation for new and existing deployments. > > Due to industry-wide trend to move to elliptic curve cryptography, > the ECDSAP256SHA256 is RECOMMENDED for use by new DNSSEC deployments, > and users of RSA based algorithms SHOULD upgrade to ECDSAP256SHA256. I believe this is clear enough. As for the second column, I am strongly opposed to saying what would the recommendation be in ‘2 years’. We have no idea about the deployment of Ed25519 resolvers[*], neither about RSA. But this is a type of document that needs to be regularly refreshed when needed, so we can issue another update in 2-5 years... Ondrej * - I also suspect that saying “usable” is too optimistic given that support for Ed25519 requires new OpenSSL 1.1.0 and the general glacier-speed deployments of new software. -- Ondřej Surý ond...@isc.org > On 15 Oct 2018, at 17:04, fujiw...@jprs.co.jp wrote: > > WGLC comment to draft-ietf-dnsop-algorithm-update-02 > > Section 3.2 is "recommendations for operators". > > There is texts that discuss ECDSAP256SHA256 only in section 3.2. > However, RSASHA256 is still usable. > Please add text about other algorithms. > if there is a table similar to section 3.1, it will help operators. > > For example, > choice of | choice of > sigining algorithm (now) | sigining algorithm (2 years Later) > ---------------------------------------------------------------------------- > RSASHA1* MUST NOT | MUST NOT > RSASHA256 usable | usable/consider change to EC*/Ed* > ECDSAP256* usable | usable > Ed25519 MAY | usable > > > Regards, > > -- > Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
