Brian Dickson <[email protected]> wrote: > On Tue, Nov 17, 2020 at 3:30 PM Tony Finch <[email protected]> wrote: > > > > Even so I think delegations should be signed. > > So, the parental NS records are not authoritative, and thus not supposed to > be signed.
Yes, that was the logic, but it was a mistake :-) > The signer field would differ between the delegation RRSIG and the apex > RRSIG (on what would otherwise be very similar RRSETs). Yes, like RRSIG(NSEC). A change of this kind would need an algorithm bump to indicate support for the new semantics, like the bump from 5 to 7 to indicate support for NSEC3. This has the caveat that a signer will want to wait for a large enough proportion of validators to upgrade to support the new algorithms before the signer bumps its algorithm, because old validators will treat the new algorithms as insecure. > And I'm not sure whether the DPRIVE use case is enough of a "new > requirement" to justify changing the spec. But I think that is open to > consideration at least. Yes, that's why I'm talking about it :-) Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Tyne, Dogger, Fisher, German Bight, Humber: Southwest 6 to gale 8, veering north 7 to severe gale 9. Rough or very rough, occasionally high for a time. Rain or showers. Moderate or good. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
