Deprecating the use of SHA-1 in DNSSEC signature algorithms
draft-ietf-dnsop-must-not-sha1-09

• Status
• IESG evaluation record
• IESG writeups
• Email expansions
• History

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, dnsop-chairs@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-must-not-sha1@ietf.org, evyncke@cisco.com, rfc-editor@rfc-editor.org, tjw.ietf@gmail.com
Subject: Protocol Action: 'Deprecating the use of SHA-1 in DNSSEC signature algorithms' to Proposed Standard (draft-ietf-dnsop-must-not-sha1-09.txt)

The IESG has approved the following document:
- 'Deprecating the use of SHA-1 in DNSSEC signature algorithms'
  (draft-ietf-dnsop-must-not-sha1-09.txt) as Proposed Standard

This document is the product of the Domain Name System Operations Working
Group.

The IESG contact persons are Mahesh Jethanandani, Éric Vyncke and Mohamed
Boucadair.

A URL of this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-must-not-sha1/

Ballot Text

Technical Summary

   This document deprecates the use of the RSASHA1 and
   RSASHA1-NSEC3-SHA1 algorithms for the creation of DNSKEY and RRSIG
   records.

   It updates RFC4034 and RFC5155 as it deprecates the use of these
   algorithms.

Working Group Summary

   From the shepherd's write-up: "WG consensus was solid."

Document Quality

   Also from the shepherd's write-up: "This document is a "cleanup" 
      document which retires a DNSSEC algorithm from use.
      It is clear and understandable."
   Moreover, the responsible AD has checked whether all valuable
   comments received during the IETF Last Call were addressed.

Personnel

   The Document Shepherd for this document is Tim Wicinski. The Responsible
   Area Director is Éric Vyncke.

IANA Note

  Existing entries are updated.

RFC Editor Note

RFC Editor Note

RFC Editor Note

When allocating RFC numbers for this I-D and for the related DNS drafts, please use three consecutive RFC numbers starting with draft-ietf-dnsop-rfc8624-bis, then draft-ietf-dnsop-must-not-sha1, then draft-ietf-dnsop-must-not-ecc-gost.

Thanks

-éric