Paul Hoffman wrote:
At 9:52 AM -0400 7/17/10, Thierry Moreau wrote:
Incidentally, you say you [the design team] had good *documented* reasons for
implementing DURZ *as*you*did*. Did you document why any of
unknown/proprietary/foreign signature algorithm code(s) were not possible (this
was an alternative)? This was my outstanding question.
Thierry, can you say how using one of those alternatives would look different than the
DURZ that they used? Should they all be marked as "unverfied" in a compliant
DNSSEC resolver?
Yes. E.g. if a zone is signed only by algorithm GOOSE_128, and your
validating resolver does not know this algorithm, the DNS zone data
remains "insecure" (this is what you mean by "unverified" I guess).
That's in the DNSSEC protocol.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com