On 11 apr 2014, at 12:03, Antoin Verschuren <[email protected]> wrote:
> I think since this is a protocol definition, CDS and CDNSKEY MUST > match. What a parent should do when the protocol is violated is I > guess an implementation issue, BCP, or perhaps even local policy. A > parent may only look at CDNSKEY or CDS or both. Saying they MUST match > when they are both in the zone does not state anything on what the > parent should do when they don't, same as when the Rdata is rubish. I support this. This makes possible for parents to decide themselves whether: 1. They only fetch CDNSKEY and will not fetch CDS 2. They only fetch CDS and will not fetch CDNSKEY 3. They fetch CDNSKEY first, and then CDS if CDNSKEY does not exist 4. They fetch CDS and first, and then CDNSKEY if CDS does not exist 5. They fetch both CDS and CDNSKEY and will only pick data if the two are the same 6, ... Etc. If that is not the case, i.e. that the wg want a specific algorithm, then that should be explicit. Unless we have an algorithm, then I support the fact that according to the protocol, they MUST result in the same result, as the parent can choose what algorithm they use. Patrik
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
