Hello SHA1-fighting friends,

this is a DNSDIR review for draft-ietf-dnsop-must-not-sha1.

This document appears to be mostly ready, but should perhaps (as also noted on the mailing list) gain some visible relation to 8624(-bis) - unless the argument is that the table in 8624 and its predecessors now lives at IANA and history is tracked there, which would also make sense to me.

Like the OPSDIR review flagged a problem in the DS update for IANA, the request to change [DNSKEY-IANA] requests "MUST NOT" while the table just has Y/N. However, this appears to be covered by 8624-bis. This document should perhaps also say Updating: 8624 (or -bis) as it updates the tables in there?

Nits:

> Since then, multiple other algorithms with stronger cryptographic strength are now widely available for DS records and for DNSKEY and RRSIG records.

"Since" and "are now"' feels incongruent. Perhaps "have become widely available"?