On 10-01-17 17:50, Paul Wouters wrote: > On Tue, 10 Jan 2017, Matthijs Mekking wrote: > >> I see that IESG has approved this document, but I am still wondering >> this: >> >> On 01-12-16 13:20, Matthijs Mekking wrote: >>> Hi, >>> >>> I read this again. I still wonder if in the case of DNSSEC Delete >>> Algorithm it wouldn't be easier to say: In case the DNSSEC algorithm is >>> 0, the Digest/Public Key MUST be ignored. >>> >>> This way, you don't have to change the CDS/CDNSKEY format defined in >>> RFC >>> 7344, most likely causing less problems with deployed software. > > I personally think the simplification of using all zero's is good. If > someone accidentally changes the wrong number in the DS record when > changing parameters, it will prevent a mistaken delete request. While, > the zone might still fail, at least it won't be forced to go through a > period of insecure while the parental DS gets repopulated.
I am fine with using all zero's. I just don't think the change in resource record format is a good idea, dropping the last RDATA field from the CDS record. Matthijs > > Paul > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
