In your letter dated Thu, 2 May 2024 10:27:17 +0200 you wrote: >I'm not following what breaks based on the wording I suggested, and I'm not su >re why you keep bringing that up. :-)
Let's say I sign my zones using some scripts and ldns-signzone. This has been working for years so is now on autopilot. Then an RFC gets published that signers MUST NOT support signing using SHA1, so ldns removes those algorithms. Then a software update brings the new version of ldns my system. Now an unsigned zone gets deployed, and the whole zone is considered bogus by validators who see valid DS record but not a corresponding signed zone. My reading is that this is what the draft tries to do. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
