On 15 Oct 2016, at 10:22, Mikael Abrahamsson wrote:

set up a domain with a algorithm ID nobody will ever implement (reserve it if need be), and check that this domain returns as unvalidated (as per SHOULD in the RFC).
Geoff Houston did some research here some years ago and just did an update to his findings. You might want to look at:

Put in a MUST in relevant standards that implementation must not treat this identifier as anything but "I don't know anything about this" (ie don't implement specific tests for this "algorithm" and treat it differently from any other algorithm ID that is unknown).
I'm not sure a change in the standards will be possible as if remember correct some people think that the fallback to insecure is a not a good thing. So am not sure if we could achieve consensus on that. I think the current RFC are clear enough and later version of dnsmasq have corrected the problem.

These kinds of migration scenarios to newer algorithms MUST be hashed out, because otherwise we're never going to be able to deploy new algorithms (and per previous experience, it seems we want to change them every 5-10 years).
Yes and there is some work in the TLD space. You might want to listen to Ondreys talk at DNS-OARC:

There are always issues rolling out new stuff, the sooner we encounter and fix them the better. So thanks for finding and pointing it out.

So long

DNSOP mailing list

Reply via email to