On Fri, Nov 14, 2025 at 08:39:21AM +0100, Philip Homburg wrote: > I noticed that IANA has now reserved digest algorithms 253 and 254 for > private use. Given the extremely limited use of the PRIVATE* algorithms > in the past 20 years, it seems better if you would just switch to > 253 or 254. Then we don't have to have a new standards track document > for an extremely limited use-case.
Code points 253 and 254 are PRIVATE*. This is the issue we're talking about, and the reason the change is needed. If you have a DS record with 253 in its algorithm field, you have not specified the key algorithm. The DNSKEY RRset may contain any number of keys with algorithm 253, all with different algorithms, because when that code point is in use, the algorithm is encoded into the key data, not the algorithm field. That lack of feature parity between DS and DNSKEY is a significant hindrance to the implementation of PRIVATE*. We know that because we tried, and it hindered us. > I'm happy with the way DS was specified. It would be very annoying if DS would > require an implementation to handle PRIVATE* just to have a compliant > implementation of DS. None of this is mandatory to implement. If you're not implementing PRIVATE* then you'd just ignore code points 253 and 254 completely; there's no reason to have code to pull the algorithm out of the digest field. All you'd have to do is treat digest type 8 is the same as digest type 4. -- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
