Telechat Review of draft-ietf-dnsop-must-not-sha1-06
review-ietf-dnsop-must-not-sha1-06-opsdir-telechat-graf-2025-04-12-00
| Request | Review of | draft-ietf-dnsop-must-not-sha1 |
|---|---|---|
| Requested revision | No specific revision (document currently at 06) | |
| Type | Telechat Review | |
| Team | Ops Directorate (opsdir) | |
| Deadline | 2025-05-20 | |
| Requested | 2025-03-31 | |
| Authors | Wes Hardaker , Warren Kumari | |
| I-D last updated | 2025-04-11 (Latest revision 2025-04-11) | |
| Completed reviews |
Dnsdir IETF Last Call review of -03
by Florian Obser
(diff)
Artart IETF Last Call review of -03 by Barry Leiba (diff) Secdir IETF Last Call review of -03 by Yoav Nir (diff) Genart IETF Last Call review of -03 by Behcet Sarikaya (diff) Dnsdir Telechat review of -05 by Florian Obser (diff) Opsdir Telechat review of -06 by Thomas Graf Secdir Telechat review of -06 by Yoav Nir |
|
| Assignment | Reviewer | Thomas Graf |
| State | Completed | |
| Request | Telechat review on draft-ietf-dnsop-must-not-sha1 by Ops Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/ops-dir/JMO6-fXPJexCSa0fMQAlScedl0w | |
| Reviewed revision | 06 | |
| Result | Has issues | |
| Completed | 2025-04-12 |
review-ietf-dnsop-must-not-sha1-06-opsdir-telechat-graf-2025-04-12-00
I'm assigned to do an early OPS DIR review of this document. Thanks to the authors for taking care of this. I believe the document is in good state, however I have one point for the IANA consideration section which potentially needs to be resolved. I let IANA colleagues (CCed) decide. The operational consideration section points an operator correctly to the relevant IANA DNSSEC registries. Where the IANA consideration section updates those registries according to the document intent. However there is a possible mismatch when comparing the text in the IANA consideration section of the document and the Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms registry. The registry currently lists the Digest Algorithms, their status and its document reference. There is no "Use for DNSSEC Delegation" field and "MUST NOT" appears to be not a valid status. Further it does not update the reference with this document id, which leaves the question to the operator unanswered when checking the registry why it was deprecated. Therefore I suggest the following changes in Section 5: Before IANA is requested to set the "Use for DNSSEC Delegation" field of the "Digest Algorithms" registry [DS-IANA] for SHA-1 (1) to MUST NOT. After IANA is requested to set the "Status" field of the "Digest Algorithms" registry [DS-IANA] for SHA-1 (1) to "Deprecated" and add this document as reference. I have seen IANA has performed a review on document revision -03 and did not flag this issue and without "and add this document as reference" added the document reference in the proposed changes. Best wishes Thomas