Last Call Review of draft-ietf-dnsop-must-not-sha1-03
review-ietf-dnsop-must-not-sha1-03-secdir-lc-nir-2025-02-27-00

Hi.

I agree with what the draft says, and also wth Barry Leiba's comments about
terminology. Still, there are two things in the draft text that stood out as
strange:

In the introduction, we have "DNSSEC [RFC9364] originally made extensive use of
SHA-1 as a cryptographic verification algorithm ... Since then, multiple other
signing algorithms with stronger cryptographic strength are now widely
available..."

RFC 9364 is from 2023. The algorithms in question (like SHA-256) did not pop up
"since then". The extensive use of SHA-1 has been since RFC 3110 from 2001. I
believe that should be the referenced document.

The other issue is with the security considerations section. It says, "This
document reduces the risk that a zone cannot be validated due to lack of SHA-1
support in a validator".  To me, that's an operational consideration - don't
use this because many validations don't support it. The security consideration
should be that RSA signatures with the SHA-1 has are no longer considered
secure (already stated in the introduction), and that is why validators are
dropping it and why you implementer should also drop it.