On Tue, 10 Jan 2017, Matthijs Mekking wrote:
I see that IESG has approved this document, but I am still wondering this:
On 01-12-16 13:20, Matthijs Mekking wrote:
Hi,
I read this again. I still wonder if in the case of DNSSEC Delete
Algorithm it wouldn't be easier to say: In case the DNSSEC algorithm is
0, the Digest/Public Key MUST be ignored.
This way, you don't have to change the CDS/CDNSKEY format defined in RFC
7344, most likely causing less problems with deployed software.
I personally think the simplification of using all zero's is good. If
someone accidentally changes the wrong number in the DS record when
changing parameters, it will prevent a mistaken delete request. While,
the zone might still fail, at least it won't be forced to go through a
period of insecure while the parental DS gets repopulated.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
