> On Oct 9, 2020, at 12:08 PM, Ben Schwartz <bem...@google.com> wrote: > > > 6.2. Use of Multiple ZONEMD Hash Algorithms > > When a zone publishes multiple ZONEMD RRs, the overall security is > only as good as the weakest hash algorithm in use. > > Why not require recipients to verify all digests with recognized algorithms? >
That text stating that one is sufficient was based on a conversation in the working group that started here: https://mailarchive.ietf.org/arch/msg/dnsop/RFCklH7Lx00bL-tOVRCAc0j5ftw/ DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop