On 10/15/24 19:02, Paul Hoffman wrote:
In specific, "Use for DNSSSEC Signing" and "Use for DNSSSEC Delegation" do not make sense if there is more than one "MUST" in that column. You cannot use two algorithms to sign or delegate at the same time.
I think you misread, Paul; the second column is "use for validation" (not delegation). I think MUST is fine there for multiple algorithm, in the sense that validators MUST have multiple algorithms enabled (without enforcing them at the same time, though). One could misread this as "return bogus if not all algorithms are present that MUST be used for validation". I'm thus suggestion to rename this column to "Support for DNSSEC validation".
Thank you for the analysis. I think there are three (obvious) paths forward: 1. Define what MUST means in the context for the Use columns. 2. Use RECOMMENDED instead. 3. Only allow a single MUST in the Use column because that's what we want people to really use (which does sound more like a SHOULD). IE, if we believe ideally there should be one cryptographic algorithm deployed to simplify the deployed base, we could pick this route. I doubt it would be popular though, as we already have a fractured ecosystem and it is generally working.
[...]
My preference would be #2.
+1 I think this is also what it is intended to mean, i.e., we can get that meaning without re-defining MUST. Peter -- https://desec.io/ _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
