On Jan 6, 2021, at 14:45, Ben Schwartz <bemasc=40google....@dmarc.ietf.org> 
wrote:

> That model works well when (a) all validators implement an algorithm you like 
> OR (b) you view each algorithm as either "definitely strong" or "worthless" 
> (no middle ground). 

We are in scenario (b).

When you sign a zone you choose one or more algorithms that are individually 
sufficient. Their relative strength is not important.

> Otherwise, the zone owner has a dilemma.  Should I protect fewer users with 
> higher confidence, or more users with lower confidence?  I think that is the 
> sticking point in this conversation.

I think zone owners are not protecting anybody; they are including a means to 
gauge authenticity in their responses so that validators can protect users.

There's nothing practically preventing validators from applying local policy in 
the way they determine whether a response is authentic. Whether or not that's a 
good idea is an interesting question, but I think it's orthogonal to how 
individual RRSets are signed. 

> Telling validators to "insist" that all signatures are valid would resolve 
> this dilemma.  Zone owners could add algorithms without weakening anything.

How do you deploy a new signing algorithm alongside an established one without 
going dark to users using validators that don't support it, in that case?


Joe
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to