2. Deprecating ECC-GOST Algorithms in DNSSEC

The GOST R 34.11-94 algorithm [RFC5933] MUST NOT be used when creating Delegation Signer (DS) records. Validating resolvers MUST treat GOST R 34.11-94 DS records as insecure. If no other DS records of accepted cryptographic algorithms are available, the DNS records below the delegation point MUST be treated as insecure.

The GOST R 34.10-2001 algorithm [RFC5933] (mnemonic "ECC-GOST") MUST NOT be used when creating DNS Public Key (DNSKEY) and Resource Record Signature (RRSIG) records. Validating resolvers MUST treat RRSIG records created from DNSKEY records using these algorithms as unsupported algorithms. If no other RRSIG records of accepted cryptographic algorithms are available, the validating resolver MUST consider the associated resource records as insecure.

2. Deprecating ECC-GOST Algorithms in DNSSEC​

2. Deprecating ECC-GOST Algorithms in DNSSEC