On Tue, Jun 30, 2026 at 6:53 AM Johan Stenstam <johan.stenstam= [email protected]> wrote:
For now, I'd like to see draft-huque-dnsop-multi-alg-rules move forward. Yet your question seem to be slightly different. Yes, they are somewhat overlapping, but have different focus. Shumon’s > focus, AFAIK, is multi-signer with disjoint algorithms among providers > (which is obviously also interesting to me). My focus is making PQ-DNSSEC > viable by limiting the size expansion to only hit the DNSKEY RRset (and > then not query for DNSKEY over UDP). > Johan, Yes, disjoint multi-signer algorithms was my original motivation, but the use cases have grown significantly beyond that: operator migration across disjoint alg providers, pre-publication of the root zone trust anchor in advance of an algorithm rollover. And we do also try to cover the use case of different KSK/ZSK algs, but I need to remind myself of the details, and how it interacts (or not) with your proposal. PS. We've just put out a new revision of that draft: https://datatracker.ietf.org/doc/html/draft-huque-dnsop-multi-alg-rules-08 While preparing this revision, I noticed that in earlier versions we had relaxed only the RRSIG presence rule, and not the DNSKEY presence rule in the face of "universal" algs. That was an omission, (and did not technically permit the trust anchor publication use case to work for example), which is now repaired. We are aware that there is a fair amount of interest in this draft as it keeps coming up in many discussions (including this thread). We have not asked for agenda time at IETF126, as it has already been presented twice before. Instead, we have asked the chairs to issue a call for adoption, which I hope they will agree to do soon. Shumon.
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
