> On 6 Jan 2021, at 20:48, Ben Schwartz <bemasc=40google....@dmarc.ietf.org> > wrote: > >> > Telling validators to "insist" that all signatures are valid would resolve >> > this dilemma. Zone owners could add algorithms without weakening anything. >> >> How do you deploy a new signing algorithm alongside an established one >> without going dark to users using validators that don't support it, in that >> case? >> > To clarify, I meant "all signatures under algorithms that are implemented by > the validator", i.e. "check everything you can".
??? Are you saying validators should check every RRSIG for each algorithm that they support even after they’ve found one of these RRSIGs that validated? _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
