Remember that a DNSKEY RRset doesn’t have to match all DS records. It only has to match one. Multi-signer depends on this.
> On 23 Jul 2024, at 09:28, Mark Andrews <ma...@isc.org> wrote: > > At the moment you can only have one private algorithm per key type world > wide. > > This is all to do with how you prove a zone is to be treated as insecure. > If example.com is using private.example.com and example.net is using > private.example.net how done validator that knows about private.example.com > prove that example.net response are to be treated as insecure when there is a > DS with PRIVATEDNS returned? > -- > Mark Andrews > >> On 23 Jul 2024, at 07:46, Ben Schwartz <bem...@meta.com> wrote: >> >> Two questions I didn't see addressed: >> >> Why would a zone need to be signed with multiple private algorithms? >> >> Why isn't it sufficient to treat all private algorithms as a single >> algorithm for DS purposes, and distinguish by the Key Tag and/or trial >> hashing? >> >> --Ben SchwartzFrom: Mark Andrews <ma...@isc.org> >> Sent: Monday, July 22, 2024 1:08 PM >> To: dnsop <dnsop@ietf.org> >> Subject: [DNSOP] Fwd: New Version Notification for >> draft-andrews-private-ds-digest-types-00.txt >> This addresses a gap in the DNSSEC specification. DS records need to >> identify specific DNSSEC algorithms rather than a set of DNSSEC algorithms. >> >>> Begin forwarded message: >>> >>> From: internet-dra...@ietf.org >>> Subject: New Version Notification for >>> draft-andrews-private-ds-digest-types-00.txt >>> Date: 22 July 2024 at 10:05:24 GMT-7 >>> To: "M. Andrews" <ma...@isc.org>, "Mark Andrews" <ma...@isc.org> >>> >>> A new version of Internet-Draft draft-andrews-private-ds-digest-types-00.txt >>> has been successfully submitted by Mark Andrews and posted to the >>> IETF repository. >>> >>> Name: draft-andrews-private-ds-digest-types >>> Revision: 00 >>> Title: Private DS Digest Types >>> Date: 2024-07-22 >>> Group: Individual Submission >>> Pages: 5 >>> URL: >>> https://www.ietf.org/archive/id/draft-andrews-private-ds-digest-types-00.txt >>> Status: >>> https://datatracker.ietf.org/doc/draft-andrews-private-ds-digest-types/ >>> HTMLized: >>> https://datatracker.ietf.org/doc/html/draft-andrews-private-ds-digest-types >>> >>> >>> Abstract: >>> >>> When DS records where defined the ability to fully identify the >>> DNSSEC algorithms using PRIVATEDNS and PRIVATEOID was overlooked. >>> >>> This documents specifies 2 DS Algorithm Types which allow the DNSSEC >>> algorithm sub type to be encoded in the DS record. >>> >>> >>> >>> The IETF Secretariat >>> >>> >> >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > _______________________________________________ > DNSOP mailing list -- dnsop@ietf.org > To unsubscribe send an email to dnsop-le...@ietf.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
