On Tue, 23 Feb 2021, Paul Hoffman wrote:
What is the purpose of this flag? Why wouldn't a zone owner who has such a strong desire for using that one algorithm just sign with that algorithm?
section 2.2 of the draft makes the argument. Ben seems to be imagining a world where some validators don't implement the "stronger" algorithm and he wants to provide at least some protection for them - potentially for a long time. And, addressing Paul Wouters' comment, he's envisioning a world where the state of having multiple algorithms' signatures persists.
Recognizing that I'm likely biased by my history of working on the current "mandatory algorithm rules", I don't buy the need for this complexity. In practice our "weak" algorithms aren't _that_ weak. And, if they are, we might as well stop signing with them entirely. This seems like unnecessary further loading of the camel.
Ben, if you decide to persist with this idea, I've filed some issues in your GH repo.
-- Sam _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
