On 7/29/25 17:40, Philip Homburg wrote:
This draft seems to have as implict model that as soon as an algorithm is no longer UNIVERSAL, validators can completely drop support. I think that is the wrong approach.
I agree, that's indeed the wrong approach, and the draft does not intend to say that (and I believe does not say that). The draft stays agnostic about when to introduce or drop support for certain algorithms. It only says what to do *if* you drop support.
The problem with the validation requirement for FORMERLY-UNIVERSAL in the current draft is that if a zone is dual signed with both RSASHA1(5) and RSASHA256(8) then if a validator does not support RSASHA1, it has to consider the zone insecure.
If that's not good (which is very possible), then algorithm 5 should not be labeled FORMERLY-UNIVERSAL. I'll make this adjustment, so that the label cannot be used retroactively, but only in the future (when a current algorithm is found to be in declining support). Best, Peter _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
