[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNSSEC and unknown algorithms
At 16:29 -0500 12/16/04, David Blacka wrote:
David Blacka wrote:
My question is, why is this a SHOULD (or "should" in the first paragraph).
Mark Andrews wrote:
The security policy may say otherwise.
That and a verifier might consider this an outright resolution service failure.
(Back to where "my = David"):
Just to clarify, in my head, everything always has an exception for "local
policy". But in this case, am I right in thinking that treating the zone as
*signed* and not entirely bogus is not an option? Or to put this another way,
what other options besides "treat the zone as unsigned" or "write the whole
zone off as bogus due to local policy" does a validator have?
I think the answer to the last question is "none." (With "write off
the zone as bogus" meaning RCODE = service failure.)
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
"A noble spirit embiggens the smallest man." - Jebediah Springfield
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>