[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNSSEC-RECORDS ISSUE: DSA from Mandatory to Optional
-----BEGIN PGP SIGNED MESSAGE-----
The words MANDATORY and OPTIONAL are confusing to me.
It says:
A DNSSEC aware resolver or name server MUST implement all MANDATORY
algorithms.
So, I know that MANDATORY is equivalent to 2119's MUST.
Is "OPTIONAL" equal to "SHOULD" or "MAY"
I feel uncomfortable with DSA as "MAY".
I would feel okay with DSA as "SHOULD".
If we had a documented third alternative, I might feel okay if it said
you MUST implement at least two algorithms. Of course, that wouldn't
guarantee that we could "failover" to the other algorithm, since there
wouldn't a unique choice of what to failover to.
You may want to look at draft-ietf-ipsec-ikev2-algorithms-04.txt for
how IPsec is handling this topic.
] Out and about in Ottawa. hmmm... beer. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat
iQCVAwUBP3GdBoqHRg3pndX9AQEt8gP+ImSVnbxrn7+xRviXZmtBD5aFqM1DwsvB
QWYKfQNpw6qAHPmJK3m+BT50yzC0/76nx/V0ZL47u/Rh1wsj5qRQUyILvy/i243u
Sn+Vhy3nY+ZiFTxNaOuilUCAq1leeOqnsJY/6hcZUsZ4eHZcqo0yob/Ll3PdsPOd
UlMo1JUzIlM=
=Vq/R
-----END PGP SIGNATURE-----
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>