On 6/9/15, 7:42, "Mark Andrews" <ma...@isc.org> wrote: >How could it be done "per key"? keyid's don't identify a key. They >identify a set of keys.
Perhaps but in practice that's not happened. Some key management software won't produce a DNSKEY RR matching an existing keyid. And - "per key" could still be done via matching within the subset. But this is a trivial point. In general adding one hash of DS alg 2 is probably sufficient to say that all the 1's are old, but then the RFC ought to have handled this better. (Like recommending that if any DS 1's are there and a DS 2 is added, have a DS1 and DS2 for all keys [or for the pendantic] keyid's.) A long time opinion of mine is that RFCs ought to stick to defining terms/protocol points in one place and then separately talk about operational profiles - preferably in documents that can be referenced separately (like in RFP's and contracts). I found that trying to make code prefer newer technologies over old by fiat seems to backfire (like the way DNS used to prefer v6 over v4 and now seems to have reversed, looking at some observed behavoral studies).
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
