On 11/20/20 9:14 PM, Brian Dickson wrote: > So, using a new algorithm for whatever we do, should be 100% backward > compatible.
Yes, it should be. A few different proposals have been relying on that already, for DS or DNSKEY. It is possible that some validators still have bugs around this, but hopefully they would be manageable. For signers there's a possible caveat that a zone must be fully signed by *all* the present DNSKEY algorithms, but my point of view is that redefining that it relatively easy on deployment (as only zones wanting the feature get affected). See last paragraph of https://tools.ietf.org/html/rfc4035#section-2.2 > I think we (the three of us and maybe Tony Finch, if not the whole DNS > community) may be converging on a design that will, I believe, work. So far I can't clearly see that direction of convergence, but I'll be looking forward to such design proposals. --Vladimir
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
