> 1. that all signers perform algorithm rollovers at the same time > (but why would, e.g., Cloudflare want to coordinate a hypothetical > migration from algorithm 13 to 15 with NS1?);
I'm curious what that would look like from DNSSEC validator point of view. The current spec is that a validator looks at the DS RRset. If there is no algorithm in the DS RRset that is supported by the validator, then the zone is insecure. Suppose a validator understands 13 but not 15. And if gets data from Cloudflare in this example, then validation will fail and the zone is DNSSEC bogus. _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
