> On 23 Mar 2022, at 20:45, Peter van Dijk <[email protected]> wrote: > > On Mon, 2022-03-21 at 19:32 +0000, Paul Hoffman wrote: >> On Mar 21, 2022, at 11:34 AM, Wessels, Duane >> <[email protected]> wrote: >>> Is it in response to the DNS-OARC talk we saw about implementing PQC Falcon >>> in PowerDNS, and they used the next unused algorithm number rather than a >>> private algorithm? >> >> Nils could have picked 253 but probably didn't even think of looking down to >> the bottom of the list. He was just following the time-honored pattern in >> the IETF. :-) > > (I am not speaking for Nils, to be clear.) > > 253 is not for experiments - it is for private production. It requires > (as most of you might know) prefixing DNSKEY content with a private > algorithm specifier that looks like a domain name (or, for 254, with a > OID). This means if you were to use it for an experiment, your DNSKEY > content, and thus signer and validation code, would need to be changed > when you get a number assigned.
Please quote where it is stated that “private is not for experimentation”. Private is private. Do what you want with it as long as you identify the the algorithm uniquely and that includes experimental implementations. Also while it is nice to be able to just change a number to go from experimental to production, in reality removing code that add / checks the algorithm name at the same time is not a lot to ask vendors to do and is unlikely to cause real problems. If you want you can actually keep the name DNSKEY and DS records as a constant if you are too scared that vendors will muck up the minor change of removing an identifying name. There is zero reason to reserve any ADDITIONAL space for experimentation. Domain names are cheap as are OIDs. I do not support reserving more space. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
