Technically only a SHA-2 hash of the key would need to be there. If somebody
can create a SHA-2 hash collision then the world has bigger problems than
a DoS on DNSSEC validation.
How hard would it be to add a possibility for another key algorithm?
Beyond the change to the specs, it would require significant software
changes to every piece of software in the world that signs or validates
DNSSEC. I figure we could have it widely adopted by the 2050s.
We have established that the benefit would be negligible, and caches would
still need to have defensive checks against excessive or duplicate keys
and signatures. Let's talk about something else.
R's,
John
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop