On Thu, 8 Aug 2019, Joe Abley wrote:
I don't see how that's a MUST. What else could you do?
One alternative would be for the receiver to insist that all digests
with supported algorithms match. It seems reasonable to specify that
verifying that one of them matches is sufficient to declare the zone
intact.
If there are multiple digests and some validate and some don't, I can
think of a whole lot of reasons why that might happen, e.g., bug at the
signer, bug at the verifier, cosmic ray bit flip in one of the digests,
MITM with a strange sense of humor. I don't want to try to offer
experience-free advice on how to debug that.
In realistic cases, unless there's a catastrophic break of one of the
algorithms (so sensible verifiers will stop accepting it), if any of the
digests verify, the chances are extremely high that the zone is good.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
