Duane and all,
On 08/08/2019 01.29, Wessels, Duane wrote:
AFAICT there was no feedback received after this most recent version of the
ZONEMD draft was posted. As I mentioned before, there was one pretty
significant change in that version:
The most significant change is that multiple ZONEMD records are allowed. The
document recommends that multiple digests be present only when transitioning to
a new digest type algorithm and has this to say about verification given
multiple digests:
4.1. Verifying Multiple Digests
If multiple digests are present in the zone, e.g., during an
algorithm rollover, at least one of the recipient's supported Digest
Type algorithms MUST verify the zone.
It is RECOMMENDED that implementations maintain a (possibly
configurable) list of supported Digest Type algorithms ranked from
most to least preferred. It is further RECOMMENDED that recipients
use only their most preferred algorithm that is present in the zone
for digest verification.
As a matter of local policy, the recipient MAY require that all
supported and present Digest Type algorithms verify the zone.
We would like to have feedback on this change before progressing to working
group last call.
It makes sense to me.
I updated my proof-of-concept Python code to match this draft, and was
able to verify the examples in it.
I think the draft is clear and complete enough for last call.
Cheers,
--
Shane
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
