The ANRW talk "Protocol Fixes for KeyTrap Vulnerabilities” this afternoon by Elias Heftrig, Haya Schulmann, Niklas Vogel, Michael Waidner is proposing that there is a type roll for DS and DNSKEY. I don’t think this is needed. The only change actually need is to add a new requirement that says that new DNSKEY algorithms MUST have DNSKEY RRsets that do not have colliding key tags. Validators can then depend on this behaviour with new key DNSKEY algorithms. The only question is do we add aliases for the existing key types.
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
