On Sun, 19 Jul 2020, Paul Vixie wrote:
On Sunday, 19 July 2020 07:52:39 UTC Ondřej Surý wrote:
I just want to point out, that I am certainly not overthinking this with my
implementors hat. The RFC and code-point puts pressure on the DNS vendors
to actually implement this „because there’s RFC“. ...
If we are talking about Nation State ciphers, the pressure is on them to
submit code to get it supported. Whether it is in openssl or bind or
what not.
i'm going to want to be able to validate signatures generated in russia by
russians of russian dns zones. so my pressure on my implementors will not be
because there's an RFC, but rather, because there are keys and signatures.
the thing we live on is round.
Indeed. As much as I also want to limit the number of algorithms because
most Nation States ones will never see real deployment, we cannot really
prevent them from trying to get a real deployment.
If someone from Europe or North America would come up with another
algorithm, I'd be more tempted to say no than if Russia or China
would come to ask for one.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
