You probably noticed I swapped in the document and tackling issues one-by-one.
On Mar 20, 2010, at 8:51 PM, Chris Thompson wrote: > On Mar 20 2010, Paul Wouters wrote: > >> On Sat, 20 Mar 2010, Olaf Kolkman wrote: >> >>> - http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/NSEC-NSEC3 >> >> That still states: >> >> "as well as no algorithm choice for SHA-256" >> >> That's been resolved now, see http://www.bind9.net/dns-sec-algorithm-numbers >> RSASHA256 has DNSKEY algorihtm 8 and RSASHA-512 has alg 10. As far as I >> know, these include NSEC3, though the registry contains no pointers for that. > > It contains a pointer to RFC 5702, and section 5.2 of RFC5702 is completely > clear on the subject. > >> Is it noted anywhere that algorithms > 5 imply NSEC3 support? If not, should >> we? > > I suppose it is still open to DNSEXT to submit new algorithms which imply > NSEC only, but of course that is not expected to happen. (Anyway, 253 & 254 > are "> 5" and there it's a matter for private agreement.) Rereading this particular issue it seems that the current text in version 02 ( http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis-02#section-5.3.1 ) is convoluting DNS signing algorithms with the NSEC3 digest-algorithm field. I am not quite sure what this section tries to accomplish except for the fact that NSEC3 support is signaled in the algorithm numbers, which I don't think is in scope at this particular place (section 5.3) in the document. I think that talking about NSEC3 hash algorithm rolover is in scope (in section 5.3) and modified the text to read: <t> At the moment of writing there is only one NSEC3 Hashing algorithm defined. <xref target="RFC5155"/> specifically calls out that when a new hash algorithm for use with NSEC3 is specified, a transition mechanism MUST also be defined. Therefore this document does not considder NSEC3 hash algorithm transition. </t> --Olaf ________________________________________________________ Olaf M. Kolkman NLnet Labs Science Park 140, http://www.nlnetlabs.nl/ 1098 XG Amsterdam _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
