On Wed, Feb 24, 2021 at 1:32 AM Ralf Weber <d...@fl1ger.de> wrote: > Moin! > > On 23 Feb 2021, at 16:08, Ben Schwartz wrote: > > > Inspired by some recent discussions here (and at DNS-OARC), and > > hastened by > > the draft cut-off, I present for your consideration "DNSSEC Strict > > Mode": > > > https://datatracker.ietf.org/doc/html/draft-schwartz-dnsop-dnssec-strict-mode-00 > Interesting read. Some comments: > - Shouldn’t multiple signatures/algorithms be the exception only used > when > migrating to a new one? Having multiple algorithms as the norm seems > wrong, > but I’m not a crypto person so would be interest if this is used > somewhere. >
In TLS, servers and clients almost always support several different ciphersuites, and perform a secure negotiation to select one that they both support. Strict Mode is the static equivalent of secure ciphersuite negotiation. > - In DNSSEC or DNS in general you have to think about the whole domain > tree. > I've added a note on this the editor's draft. More broadly, I think Strict Mode makes sense throughout the tree. For example, if we find ourselves in a position where quantum advances raise concerns about RSA, and postquantum signatures are available but still new, it might make sense to double-sign the root. > - DNSSEC validators are already absurdly complex, this is yet another > straw > on the camels back IMHO. > > So long > -Ralf > ——- > Ralf Weber > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
