I support adopting this. Getting a validator to work with PRIVATEDNS or PRIVATEOID keys, when the key algorithm is encoded into DNSKEY and RRSIG but *not* into DS rdata, is going to be a huge pain, and we should fix it if we want such keys to be viable.
The problem seems to have been overlooked when such keys were originally specified (RFC 4034, appendix A), but DS records also have an algorithm field, so the same extensions as DNSKEY and RRSIG are needed. The language of the draft is currently a little obtuse IMHO, but the proposed fix is straightforward: add a new set of DS digest types, duplicating all the existing ones that aren't deprecated yet, which behave identically to existing digest types for non-private key algorithms, but allow the algorithm's name or OID to be encoded at the begnning of the digest field when the algorithm field is set to PRIVAETDNS or PRIVATEOID. On Wed, May 21, 2025 at 08:45:31AM +1000, Mark Andrews wrote: > Can the working group please adopt this document? > > DS records are supposed to identify a DNSSEC algorithm but for PRIVATEOID > and PRIVATEDNS the identify *sets* of algorithms. This means that DS > records with PRIVATEOID or PRIVATEDNS in the algorithm field currently > are NOT FIT FOR PURPOSE. This draft corrects that issue. > > Mark > > > On 16 May 2025, at 18:22, Mark Andrews <[email protected]> wrote: > > > > > > > >> Begin forwarded message: > >> > >> From: [email protected] > >> Subject: New Version Notification for > >> draft-andrews-ds-support-for-private-algorithms-00.txt > >> Date: 16 May 2025 at 18:21:20 AEST > >> To: "M. Andrews" <[email protected]>, "Mark Andrews" <[email protected]> -- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
