Hi Ben,
could you please briefly summarize how this relates to last paragraph of
https://tools.ietf.org/html/rfc4035#section-2.2 ?
The way how I understand it, each DNSKEY already must be treated as the
proposed "strict" mode, thus this proposal is completely useless.
Thanks,
Libor
Dne 23. 02. 21 v 16:08 Ben Schwartz napsal(a):
Inspired by some recent discussions here (and at DNS-OARC), and
hastened by the draft cut-off, I present for your consideration
"DNSSEC Strict Mode":
https://datatracker.ietf.org/doc/html/draft-schwartz-dnsop-dnssec-strict-mode-00
<https://datatracker.ietf.org/doc/html/draft-schwartz-dnsop-dnssec-strict-mode-00>
Abstract:
Currently, the DNSSEC security of a zone is limited by the strength of
its weakest signature algorithm. DNSSEC Strict Mode makes zones as
secure as their strongest algorithm instead.
The draft has a long discussion about why and how, but the core
normative text is just three sentences:
The DNSSEC Strict Mode flag appears in bit $N of the DNSKEY flags
field. If this flag is set, all records in the zone MUST be
signed correctly under this key's specified Algorithm. A validator
that receives a Strict Mode DNSKEY with a supported Algorithm
SHOULD reject as Bogus any RRSet that lacks a valid RRSIG with
this Algorithm.
--Ben Schwartz
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
