Hi Paul,
On 10/15/24 20:30, Paul Hoffman wrote:
On Oct 15, 2024, at 10:30, Peter Thomassen <pe...@desec.io> wrote:
On 10/15/24 19:02, Paul Hoffman wrote:
In specific, "Use for DNSSSEC Signing" and "Use for DNSSSEC
Delegation" do not make sense if there is more than one "MUST" in that
column. You cannot use two algorithms to sign or delegate at the same
time.
I think you misread, Paul; the second column is "use for validation" (not
delegation).
I think I did not. The draft adds "Use for DNSSEC Delegation" to the table in section 4.
That column in that table has the same "MUST but MAY" problem I brought up.
Thank you for explaining; the original post included just one table and cited
two column headers, which I took to be columns from the quoted table. I now
understand you brought up two issues.
I agree about the issue you described with table 2. Additionally, in my previous email I added a
suggestion to change the "Use for DNSSEC Validation" column header in table 2 to
"Support for DNSSEC Validation", which I continue to consider an improvement to remove
ambiguity of a multi-algo validation requirement.
Also, obviously all algorithms used or supported for validation are necessarily
implemented, so the last column in my opinion can go away.
I disagree about the table 3 issue, and see no problem absolutely mandating one
DS record (of digest type 2) and making another one optional; there's no cost
downside to it (unlike double-signing). In fact, that's how I've always read
RFC 8624 Section 3.3 (perhaps wrongly), so I do not perceive a change here.
The column "Use for DNSSEC Validation" has the same issue as in table 2, and I think
should be changed to "Support for DNSSEC Validation". Again, obviously all algorithms
used or supported for validation are necessarily implemented, so the last column in my opinion can
go away.
Doing as suggested above leaves us with
- implementation requirements for signing/delegating (third column),
- from which zone owners can choose recommended ones for active use
(signing/delegation, first column),
- and on whose availability (within reason) can be relied for passive use
(validation, second column).
We need three columns (not 4) because active use (signing/delegation) is a manual (human) choice from the
implemented set of algorithms (so, two separate columns with recommendations), whereas for passive use
(validation), a resolver will likely use all algorithms it knows / not implement algorithms it doesn't use.
The latter point therefore can be subsumed in one column the merges "use" and
"implementation" into simply support "support".
Best,
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
