On 5/2/24 10:37, Philip Homburg wrote:
In your letter dated Thu, 2 May 2024 10:27:17 +0200 you wrote:
I'm not following what breaks based on the wording I suggested, and I'm not su
re why you keep bringing that up. :-)
Let's say I sign my zones using some scripts and ldns-signzone. This
has been working for years so is now on autopilot.
Then an RFC gets published that signers MUST NOT support signing using SHA1,
so ldns removes those algorithms. Then a software update brings the new
version of ldns my system. Now an unsigned zone gets deployed,
I don't think the draft warrants that assumption. I'd think that the software
update or signing pipeline or replication mechanism would somehow make the
admin aware that action needs to be taken.
This is no different from any other kind of potentially significant change,
such as the change in OpenVPN configuration format between certain updates.
In any case, I don't consider this concern (which I find valid) a matter of
standardization. It's up to ldns to decide how to handle it, e.g. by releasing
a new major version to indicate a compatibility risk, etc.
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
