[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DS Algorithm selection and SHA1 deprecation

Subject: Re: DS Algorithm selection and SHA1 deprecation
From: Mark Andrews <Mark_Andrews@isc.org>
Date: Wed, 07 Dec 2005 12:09:28 +1100
Cc: namedroppers@ops.ietf.org
In-reply-to: Your message of "Wed, 07 Dec 2005 08:44:51 +1100." <200512062144.jB6LipA7063462@drugs.dv.isc.org>

   Because zone administrators can not control the deployment support of
   SHA-256 in deployed validators that may referencing any given zone,
   deployments should consider publishing both SHA-1 and SHA-256 based
   DS records for a while.  Whether to publish both digest types
   together and for how long is a policy decision that extends beyond
   the scope of this document.

	I think this needs to be strengthend.  This currently allows
	you to use SHA-1 for one algorithm and SHA-256 for a different
	algorithm.  This really needs to be made pair-wise.  If you
	choose to publish both then you need to do this for every
	DNSKEY you are generating a DS for.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: DS Algorithm selection and SHA1 deprecation
  - From: Wes Hardaker <hardaker@tislabs.com>

References:
- Re: DS Algorithm selection and SHA1 deprecation
  - From: Mark Andrews <Mark_Andrews@isc.org>

Prev by Date: Re: [Mip6] Re: RFC2136 and IP address ownership
Next by Date: Re: DS Algorithm selection and SHA1 deprecation
Previous by thread: Re: DS Algorithm selection and SHA1 deprecation
Next by thread: Re: DS Algorithm selection and SHA1 deprecation
Index(es):
- Date
- Thread