> On 15 Apr 2019, at 11:21 pm, Edward Lewis wrote:
>
> A few follow ups:
>
> On 4/14/19, 22:35, "DNSOP on behalf of Mark Andrews" on behalf of ma...@isc.org> wrote:
>
>> You don’t publish DS records (or trust anchors) for a algorithm until the
>> incoherent state is resolved (incremental s
Well I think it is time for more fine tuning. It’s still only PS.
--
Mark Andrews
> On 15 Apr 2019, at 23:21, Edward Lewis wrote:
>
> A few follow ups:
>
> On 4/14/19, 22:35, "DNSOP on behalf of Mark Andrews" on behalf of ma...@isc.org> wrote:
>
>> You don’t publish DS records (or trust
A few follow ups:
On 4/14/19, 22:35, "DNSOP on behalf of Mark Andrews" wrote:
>You don’t publish DS records (or trust anchors) for a algorithm until the
>incoherent state is resolved (incremental signing with the new algorithm is
>complete).
While that makes sense, the protocol can't (no
And as DNS is loosely coherent a validator cannot check this rule even when
getting
answers from a single IP address as there may be a anycast server behind that
address.
This loose coherence allows for servers to incrementally sign a zone when
introducing
a new algorithm. A incrementally signe
I've been inactive a long time, but someone alerted me to this message.
(Apologies what below looks like it's from a ranting lunatic. But it is.)
On 4/12/19, 11:31, "DNSOP on behalf of Mark Andrews" wrote:
Well given that the actual rule is all the algorithms listed in the DS RRset
rat
