Hi Duane, On 7 Aug 2019, at 19:29, Wessels, Duane <dwessels=40verisign....@dmarc.ietf.org> wrote:
> AFAICT there was no feedback received after this most recent version of the > ZONEMD draft was posted. As I mentioned before, there was one pretty > significant change in that version: > >> The most significant change is that multiple ZONEMD records are allowed. >> The document recommends that multiple digests be present only when >> transitioning to a new digest type algorithm and has this to say about >> verification given multiple digests: >> >> 4.1. Verifying Multiple Digests >> >> If multiple digests are present in the zone, e.g., during an >> algorithm rollover, at least one of the recipient's supported Digest >> Type algorithms MUST verify the zone. >> >> It is RECOMMENDED that implementations maintain a (possibly >> configurable) list of supported Digest Type algorithms ranked from >> most to least preferred. It is further RECOMMENDED that recipients >> use only their most preferred algorithm that is present in the zone >> for digest verification. >> >> As a matter of local policy, the recipient MAY require that all >> supported and present Digest Type algorithms verify the zone. > > > We would like to have feedback on this change before progressing to working > group last call. My suggestion is to focus on what is necessary for interop in the protocol and leave implementation decisions about the richness of local policy that can be configured to implementations. I don't think the RECOMMENDED paragraph is necessary (perhaps I'm missing something) and I think the final MAY paragraph is implicit and doesn't need to be spelled out. So my preference would be: OLD: 4.1. Verifying Multiple Digests If multiple digests are present in the zone, e.g., during an algorithm rollover, at least one of the recipient's supported Digest Type algorithms MUST verify the zone. It is RECOMMENDED that implementations maintain a (possibly configurable) list of supported Digest Type algorithms ranked from most to least preferred. It is further RECOMMENDED that recipients use only their most preferred algorithm that is present in the zone for digest verification. As a matter of local policy, the recipient MAY require that all supported and present Digest Type algorithms verify the zone. NEW: 4.1. Verifying Multiple Digests If multiple digests are present in the zone, e.g., during an algorithm rollover, at least one of the recipient's supported Digest Type algorithms MUST verify the zone. However, I don't think the two paragraphs I just casually removed do any harm, and I would not object if they were kept in. Joe
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
