Moin!
On 15 Oct 2016, at 10:22, Mikael Abrahamsson wrote:
set up a domain with a algorithm ID nobody will ever implement
(reserve it if need be), and check that this domain returns as
unvalidated (as per SHOULD in the RFC).
Geoff Houston did some research here some years ago and just did an
update to his findings. You might want to look at:
http://www.potaroo.net/ispcol/2016-10/ecdsa-v2.html
Put in a MUST in relevant standards that implementation must not treat
this identifier as anything but "I don't know anything about this" (ie
don't implement specific tests for this "algorithm" and treat it
differently from any other algorithm ID that is unknown).
I'm not sure a change in the standards will be possible as if remember
correct some people think that the fallback to insecure is a not a good
thing. So am not sure if we could achieve consensus on that. I think the
current RFC are clear enough and later version of dnsmasq have corrected
the problem.
These kinds of migration scenarios to newer algorithms MUST be hashed
out, because otherwise we're never going to be able to deploy new
algorithms (and per previous experience, it seems we want to change
them every 5-10 years).
Yes and there is some work in the TLD space. You might want to listen to
Ondreys talk at DNS-OARC:
https://indico.dns-oarc.net/event/25/session/2/contribution/2
There are always issues rolling out new stuff, the sooner we encounter
and fix them the better. So thanks for finding and pointing it out.
So long
-Ralf
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop