Joe wrote: > On Nov 1, 2018, at 16:27, Paul Hoffman <paul.hoffman at icann.org> wrote: > > The current ZONEMD draft fully supports algorithm agility. What it > doesn't support is multiple hashes *within a single message*. Having seen > how easy it is to screw up OpenPGP and S/MIME message processing to handle > multiple hashes, I think having one hash per zone is much more likely to > work. > Suppose everybody supports digest algorithm A (e.g. it's the digest type > that was mandatory to implement in the original specification). We use that > in our ZONEMD RR because we have high confidence that clients will support > it. > At some later time digest algorithm B emerges which has some advantages > over algorithm A. B is newer and not all software supports it. We would > like to use B because its advantages are attractive to us, but we also want > all of our clients to be able to use the ZONEMD RRs we publish. > Since B is new we have lower confidence that it is supported by our > current clients. > We cannot use both A and B simultaneously on the publication side, since > the specification requires us to choose just one. > There is no signalling mechanism that will give us insight into our client > population's support of algorithm B, even if we have non-empirical > expectations that support will increase over time. > Since we don't want to break things, we cannot use B. > Joe
So, giving this some tiny bit of thought: When is zonemd added to a response, is that when doing an AXFR? Maybe signaling the algorithm(s) for which signature(s) are desired/understood would do the trick? I.e. in an EDNS option? Do it as a list of signature combos, as an ordered list. Go through the list, and return the answer for the first entry whose requirements are met. E.g. I understand A and B, but can only handle a single signature. I want to receive B if it is available, with fallback to A if it is not available. I specify "B", "A". E.g. I understand A and B, and want both and will accept either. I specify "A AND B", "B", "A". E.g. I understand A, B, and C. I can handle multiple signatures. I want C if it is available, or both A and B if C is not available but A and B are, and if not, any of A or B. I specify "C", "A AND B", "B", "A". This has the side-effect of providing information about known signature types, at least those I'm willing to advertise. (E.g. I understand the programming language COBOL, but I won't advertise that fact on my resume.) Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
