I have read the draft and support it being made into a WG document.

I do have some minor comments - none that change the tone of the document:

1. Introduction 5th paragraph
“DNSSEC algorithms are used…” Probably should be “DNSSEC registered algorithms…” There are no crypto algorithms that are part of DNSSEC only, just defined for use with DNSSEC.

2. There is also RFC 6975 - algorithm signaling in DNSSEC. I don’t know how widely deployed or used the EDNS option is, but it was proposed to help gather data about this very thing.

On 15 Nov 2016, at 7:41, Dan York wrote:

As mentioned at the very end of DNSOP, Olafur Gudmundsson, Ondrej Sury, Paul Wouters and I have a draft published that aims to document the steps involved with deploying a new cryptographic algorithm for DNSSEC. The overall goal is to make it easier to get new DNSSEC crypto algorithms deployed, both through documenting existing steps - and then potentially building off of this work with new documents to improve some of the steps. Right now we'd like to get ECDSA out, but EdDSA is coming out soon and it would be great to get that deployed sooner rather than later.

As I said in the session, we'd like to get reviewers and then get the document adopted by the WG and moved along toward publication.

The draft is at either of:


Please send any comments to the list or to us as authors.

I also am maintaining this over in Github at: https://github.com/danyork/draft-deploying-dnssec-crypto-algs If you are a Github user you are welcome to file an issue there or send text in a pull request.

Regardless, we'd just like any feedback (even if to say that it looks good).


Dan York
Senior Content Strategist, Internet Society
y...@isoc.org<mailto:y...@isoc.org>   +1-802-735-1624
Jabber: y...@jabber.isoc.org<mailto:y...@jabber.isoc.org>
Skype: danyork   http://twitter.com/danyork


DNSOP mailing list

Scott Rose, NIST
ph: +1-301-975-8439
Google Voice: +1-571-249-3671
DNSOP mailing list

Reply via email to