On Tue, Jun 30, 2026 at 6:53 AM Johan Stenstam <johan.stenstam=
[email protected]> wrote:

For now, I'd like to see draft-huque-dnsop-multi-alg-rules move forward.
Yet your question seem to be slightly different.

Yes, they are somewhat overlapping, but have different focus. Shumon’s
> focus, AFAIK, is multi-signer with disjoint algorithms among providers
> (which is obviously also interesting to me). My focus is making PQ-DNSSEC
> viable by limiting the size expansion to only hit the DNSKEY RRset (and
> then not query for DNSKEY over UDP).
>

Johan,

Yes, disjoint multi-signer algorithms was my original motivation, but the
use cases have grown significantly beyond that: operator migration across
disjoint alg providers, pre-publication of the root zone trust anchor in
advance of an algorithm rollover. And we do also try to cover the use case
of different KSK/ZSK algs, but I need to remind myself of the details, and
how it interacts (or not) with your proposal.

PS. We've just put out a new revision of that draft:


https://datatracker.ietf.org/doc/html/draft-huque-dnsop-multi-alg-rules-08

While preparing this revision, I noticed that in earlier versions we had
relaxed only the RRSIG presence rule, and not the DNSKEY presence rule in
the face of "universal" algs. That was an omission, (and did not
technically permit the trust anchor publication use case to work for
example), which is now repaired.

We are aware that there is a fair amount of interest in this draft as it
keeps coming up in many discussions (including this thread). We have not
asked for agenda time at IETF126, as it has already been presented twice
before. Instead, we have asked the chairs to issue a call for adoption,
which I hope they will agree to do soon.

Shumon.
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to