On Thu, Jul 20, 2017 at 10:45 AM, Shumon Huque <[email protected]> wrote:
> On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson < > [email protected]> wrote: >> >> >> I disagree, if a zone operator selects "less-than" common algorithm they >> do that at their own risk, >> if the risk is not acceptable then it should dual sign.... >> > > Yes. The point I was trying to make is that DANE sites (and probably > others if they care about security) cannot afford to fail open. So they > have to dual sign if they can stomach the costs, or delay deploying new > algorithms for a long time. This draft is intended to (eventually) make the > dual signing case easier to deal with operationally. > The point I'm making is that the proposed medicine is worse than the ailment. Olafur
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
