Re: DS Algorithm selection and SHA1 deprecation

[Wes Hardaker <hardaker@tislabs.com>]

>>>>> On Wed, 07 Dec 2005 15:59:22 +1100, Mark Andrews <Mark_Andrews@isc.org> said:

>> Because zone administrators can not control the deployment support
>> of SHA-256 in deployed validators that may referencing any given
>> zone, deployments should consider publishing both SHA-1 and SHA-256
>> based DS records for a while.  If multiple algorithms are used for a
>> given name then both SHA-1 and SHA-256 based DS records should be
>> published for every algorithm.  Whether to make use of both digest
>> types and for how long is a policy decision that extends beyond the
>> scope of this document.

Mark> I'd still prefer the following change

Mark> s/algorithm/algorithm and preferably for every DNSKEY for which a DS is being generated/
	
Ok, but that's actually sort of stating the same thing again.  Can't
we simplify things and just use your last wording without mentioning
algorithms?

  Because zone administrators can not control the deployment support of
  SHA-256 in deployed validators that may referencing any given zone,
  deployments should consider publishing both SHA-1 and SHA-256 based DS
  records.  This should be done for every DNSKEY for which a DS records
  are being generated.  Whether to make use of both digest types and for
  how long is a policy decision that extends beyond the scope of this
  document.


-- 
Wes Hardaker
Sparta, Inc.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>