RE: MagicType draft

["Scott Rose" <scottr@nist.gov>]

> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org
> [mailto:owner-namedroppers@ops.ietf.org]On Behalf Of Miek Gieben

> >
> > What happens if there is a mix of DNSSECbis and "this method"
> keys in a DS
> > set?
>
> I'm adding this to the "Loose Ends" section... :-)
>
> But I guess the answer is, you mustn't do that. If we say you MUST NOT
> do that, it would conflict with DNSSECbis.
>

Really?  I would think that it would almost work.  Wouldn't it be the same
as having 2 DS RRs, and one having an unknown algorithm type?  A DNSSECbis
validator would still be able to validate positive responses, it's negative
responses that would cause some errors (unknown algorithms code).  Depending
on local policy, the validator might resend the query in an attempt to get
an RRSIG it can understand.


> This shows IMO that using the algorithms field of DS is a hack, and
> maybe we should do what Roy suggested and use a new DS type for this
> all together,
>

Another option, but does that mean that there would be a DS RR and this new
type?  That would cause the same issues as 2 DS RRs.


Scott
PS - this post may be the result of a flu induced haze.


> grtz Miek
>
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
>


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>