On Sat, 15 Oct 2016, Ray Bellis wrote:
I hadn't considered algorithm-specific tests, but the app could in
theory include tests for whether zones known to be signed with specific
algorithms can be correctly resolved with +AD returned.
What I would like to see are tests like:
set up a domain with a algorithm ID nobody will ever implement (reserve it
if need be), and check that this domain returns as unvalidated (as per
SHOULD in the RFC). Put in a MUST in relevant standards that
implementation must not treat this identifier as anything but "I don't
know anything about this" (ie don't implement specific tests for this
"algorithm" and treat it differently from any other algorithm ID that is
unknown).
These kinds of migration scenarios to newer algorithms MUST be hashed out,
because otherwise we're never going to be able to deploy new algorithms
(and per previous experience, it seems we want to change them every 5-10
years).
--
Mikael Abrahamsson email: swm...@swm.pp.se
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
