On Sat, 15 Oct 2016, Ray Bellis wrote:

I hadn't considered algorithm-specific tests, but the app could in theory include tests for whether zones known to be signed with specific algorithms can be correctly resolved with +AD returned.

What I would like to see are tests like:

set up a domain with a algorithm ID nobody will ever implement (reserve it if need be), and check that this domain returns as unvalidated (as per SHOULD in the RFC). Put in a MUST in relevant standards that implementation must not treat this identifier as anything but "I don't know anything about this" (ie don't implement specific tests for this "algorithm" and treat it differently from any other algorithm ID that is unknown).

These kinds of migration scenarios to newer algorithms MUST be hashed out, because otherwise we're never going to be able to deploy new algorithms (and per previous experience, it seems we want to change them every 5-10 years).

Mikael Abrahamsson    email: swm...@swm.pp.se

DNSOP mailing list

Reply via email to