On Jan 6, 2021, at 14:45, Ben Schwartz <bemasc=40google....@dmarc.ietf.org> wrote:
> That model works well when (a) all validators implement an algorithm you like > OR (b) you view each algorithm as either "definitely strong" or "worthless" > (no middle ground). We are in scenario (b). When you sign a zone you choose one or more algorithms that are individually sufficient. Their relative strength is not important. > Otherwise, the zone owner has a dilemma. Should I protect fewer users with > higher confidence, or more users with lower confidence? I think that is the > sticking point in this conversation. I think zone owners are not protecting anybody; they are including a means to gauge authenticity in their responses so that validators can protect users. There's nothing practically preventing validators from applying local policy in the way they determine whether a response is authentic. Whether or not that's a good idea is an interesting question, but I think it's orthogonal to how individual RRSets are signed. > Telling validators to "insist" that all signatures are valid would resolve > this dilemma. Zone owners could add algorithms without weakening anything. How do you deploy a new signing algorithm alongside an established one without going dark to users using validators that don't support it, in that case? Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop