On Sat, 1 Dec 2018, Viktor Dukhovni wrote:
The IANA DNSSEC parameter registry lists RSAMD5 (algorithm 1) as
deprecated, and refers to [RFC3110], [RFC4034] which state that
RSAMD5 is "NOT RECOMMENDED".
https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1
And our draft is going further and says you MUST NOT implement it :)
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-04#section-3.1
This suggests to me that the deprecation of RSAMD5 is a stunning
success, it is gone, and perhaps it is time to say so:
I think more that it never really saw any deployment, so it seems a
little weird to claim success here. It shouldn't ever have gotten
an allocation even back then :P
* Authoritative zones SHOULD NOT publish RSAMD5 DS RRs or
DNSKEY records.
* Validating resolvers MUST ignore RSAMD5 DS RRs and DNSKEY
RRs, and MUST treat any zones with only ignored or unsupported
DS records as "insecure".
How weak. We went for MUST NOT :)
Perhaps we could be bolder and say the same for DSA (algorithm 3),
Funny, we also have MUST NOT there :)
this too is largely gone, but there's a cluster of ~4700 ".me"
domains with DSA keys. It is not clear that enabling those domains
to validate merits ongoing support for algorithm 3. So we might
also add DSA to the list, encouraging resolver implementations to
drop support for both RSAMD5 and DSA.
Done, as soon as the document gets a write up and goes into IETF LC :)
ping chairs :)
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
