> On 29 Mar 2022, at 01:34, Paul Hoffman <[email protected]> wrote: > > On Mar 27, 2022, at 6:23 PM, Mark Andrews <[email protected]> wrote: >> There is zero reason to reserve any ADDITIONAL space for experimentation. > > Assume that you want to experiment with creating responses that have multiple > as-yet-undefined algorithms. How would you do that today? Differentiating in > the RRdata, as is done today, would create a single RRset in the response. > > --Paul Hoffman >
You would add records of type 253 with “alg1.example.org” as the first algorithm name, “alg2.example.org” as the second algorithm name where example.org is a domain you control. If someone else is running another experiment they add 253 with the algorithm name specified as “alg1.example.net” where example.net is a domain they control. When you are checking if you support a particular instance of PRIVATEDNS you check the algorithm name as well as the algorithm number (253). For working out if the DS record indicates support for your PRIVATEDNS algorithm you need to find the matching DNSKEY based on the hash and extract the PRIVATEDNS algorithm name. If you can’t find a matching DNSKEY the DNSKEY RRset is bogus as the DS record says that the DNSKEY record exists. If you want to see how this would work add “PRIVATE-RSASHA256” using RSASHA256.ICANN.ORG as the first algorithm name and “PRIVATE-ECDSAP256SHA256” with ECDSAP256SHA256.ICANN.ORG as the second name as a starting point where they are reimplementations of RSASHA256 and ECDSAP256SHA256 respectively. Throw in “UNKNOWN.ICANN.ORG” with some random data as the rest of the key. About the only part not already specified is matching DS to DNSKEY using PRIVATEDNS but as you can see it is obvious to anyone with a little bit of cryptographic understanding. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
