| At the moment you can only have one private algorithm per key type world wide.
This is all to do with how you prove a zone is to be treated as insecure. If example.com is using private.example.com and example.net is using private.example.net how done validator that knows about private.example.com prove that example.net response are to be treated as insecure when there is a DS with PRIVATEDNS returned? On 23 Jul 2024, at 07:46, Ben Schwartz <bem...@meta.com> wrote:
Two questions I didn't see addressed:
Why would a zone need to be signed with multiple private algorithms?
Why isn't it sufficient to treat all private algorithms as a single algorithm for DS purposes, and distinguish by the Key Tag and/or trial hashing?
--Ben Schwartz
From: Mark Andrews <ma...@isc.org>
Sent: Monday, July 22, 2024 1:08 PM
To: dnsop <dnsop@ietf.org>
Subject: [DNSOP] Fwd: New Version Notification for draft-andrews-private-ds-digest-types-00.txt
This addresses a gap in the DNSSEC specification. DS records need to identify specific DNSSEC algorithms rather than a set of DNSSEC algorithms. Begin forwarded message: From: internet-drafts@ ietf. org Subject: New Version Notification for draft-andrews-private-ds-digest-types-00. txt
This addresses a gap in the DNSSEC
specification. DS records need to identify specific DNSSEC algorithms rather than a set of DNSSEC algorithms.
Begin forwarded message:
From:
internet-dra...@ietf.org
Subject:
New Version Notification for draft-andrews-private-ds-digest-types-00.txt
Date:
22 July 2024 at 10:05:24 GMT-7
To:
"M. Andrews" <ma...@isc.org>, "Mark Andrews" <ma...@isc.org>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
|
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
