On Aug 8, 2019, at 14:51, John Levine <jo...@taugh.com> wrote: > I agree with Joe's advice to limit the spec to what you need to > interoperate. It's a good idea to allow algorithm rollover, but I > don't think it's useful to try and guess how people might implement > it, or to try to invent a way to send back failure reports. > > >> NEW: >> >> 4.1. Verifying Multiple Digests >> >> If multiple digests are present in the zone, e.g., during an >> algorithm rollover, at least one of the recipient's supported Digest >> Type algorithms MUST verify the zone. > > I don't see how that's a MUST. What else could you do?
One alternative would be for the receiver to insist that all digests with supported algorithms match. It seems reasonable to specify that verifying that one of them matches is sufficient to declare the zone intact. I realise now that you mention it that that's not exactly what the text says, but that's how I interpreted it earlier. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
