Thanks John and Joe, does this text capture what you're suggesting? 4.1. Verifying Multiple Digests
If multiple digests are present in the zone, e.g., during an algorithm rollover, a match using any one of the recipient's supported Digest Type algorithms is sufficient to verify the zone. DW > On Aug 8, 2019, at 12:56 PM, John R Levine <jo...@taugh.com> wrote: > > On Thu, 8 Aug 2019, Joe Abley wrote: >>> I don't see how that's a MUST. What else could you do? >> >> One alternative would be for the receiver to insist that all digests >> with supported algorithms match. It seems reasonable to specify that >> verifying that one of them matches is sufficient to declare the zone >> intact. > > If there are multiple digests and some validate and some don't, I can think > of a whole lot of reasons why that might happen, e.g., bug at the signer, bug > at the verifier, cosmic ray bit flip in one of the digests, MITM with a > strange sense of humor. I don't want to try to offer experience-free advice > on how to debug that. > > In realistic cases, unless there's a catastrophic break of one of the > algorithms (so sensible verifiers will stop accepting it), if any of the > digests verify, the chances are extremely high that the zone is good. > > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
