Jim Reid wrote on 2022-08-14 05:16:
...
thanks jim for upleveling this; i hadn't noticed it previously.
On 14 Aug 2022, at 04:55, Wes Hardaker <wjh...@hardakers.net> wrote: Something like: # Deprecating SHA-1 algorithms in DNSSEC The SHA-1 {{RFC3685}} algorithm MUST NOT be used when creating DS records. Validating resolvers MUST treat DS records as insecure. If no other DS records of accepted cryptographic algorithms are available, the DNS records below the delegation point MUST be treated as insecure.
wes, i think the language of RFC 4034 is better than "must treat as insecure". here's the text i mean:
5.2. Processing of DS RRs When Validating Responses The DS RR links the authentication chain across zone boundaries, so the DS RR requires extra care in processing. The DNSKEY RR referred to in the DS RR MUST be a DNSSEC zone key. The DNSKEY RR Flags MUST have Flags bit 7 set. If the DNSKEY flags do not indicate a DNSSEC zone key, the DS RR (and the DNSKEY RR it references) MUST NOT be used in the validation process.
to follow this example the final sentence ("if no other...insecure") would read as follows:
"A DS RR having an SHA-1 digest field must not be used in validation." ...because "must treat as insecure" doesn't have the same edge cases. -- P Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
