On Wed, Aug 7, 2019 at 7:29 PM Wessels, Duane <dwessels= 40verisign....@dmarc.ietf.org> wrote:
> Greetings DNSOP, > > AFAICT there was no feedback received after this most recent version of > the ZONEMD draft was posted. As I mentioned before, there was one pretty > significant change in that version: > > > The most significant change is that multiple ZONEMD records are > allowed. The document recommends that multiple digests be present only > when transitioning to a new digest type algorithm and has this to say about > verification given multiple digests: > > > > 4.1. Verifying Multiple Digests > > > > If multiple digests are present in the zone, e.g., during an > > algorithm rollover, at least one of the recipient's supported Digest > > Type algorithms MUST verify the zone. > > > > It is RECOMMENDED that implementations maintain a (possibly > > configurable) list of supported Digest Type algorithms ranked from > > most to least preferred. It is further RECOMMENDED that recipients > > use only their most preferred algorithm that is present in the zone > > for digest verification. > > > > As a matter of local policy, the recipient MAY require that all > > supported and present Digest Type algorithms verify the zone. > > > We would like to have feedback on this change before progressing to > working group last call. > > DW > Allowing multiple digests is good for algorithm rollovers. It would be nice if the receiving end could warn (without failing) if it did not recognize the new algorithm. If the new algorithm was known but did not verify, I don't know whether to pass or fail, but at least warn. I don't see a good way to specify that, so it may be out of scope for the draft. Seems fine to me as written. -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
