Reviewer: Florian Obser Review result: Ready with Issues I have been selected as the DNS Directorate reviewer for this draft. The DNS Directorate seeks to review all DNS or DNS-related drafts as they pass through IETF last call and IESG review, and sometimes on special request. The purpose of the review is to provide assistance to the ADs. For more information about the DNS Directorate, please see https://wiki.ietf.org/en/group/dnsdir Issue ===== | 2. Deprecating RSASHA1 and RSASHA1-NSEC3-SHA1 algorithms in DNSSEC | Validating resolvers MUST continue to support validation using these | algorithms as they are diminishing in use but still actively in use | for some domains as of this publication. Thus, validating resolvers | MAY treat RRSIG records created from DNSKEY records using these | algorithms as an unsupported algorithm. Éric flagged the previous wording in his AD review of version -02. I still do not get what the new wording is trying to say. How does one MAY do a thing that one MUST do at the same time? Are you maybe trying to say that a validating resolver has two choices: 1. Implement RSASHA1 and RSASHA1-NSEC3-SHA1 and do proper validation 2. Stop implementing RSASHA1 and RSASHA1-NSEC3-SHA1 and treat the answer as insecure But a validating resolver MUST NOT treat an answer as bogus solely because it uses RSASHA1 or RSASHA1-NSEC3-SHA1. Once that issue is resolved the document is ready to go. -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
