Re: I-D ACTION:draft-ietf-dnsext-ds-sha256-02.txt

[Wes Hardaker <hardaker@tislabs.com>]

>>>>> On Fri, 16 Dec 2005 09:19:28 -0500, Edward Lewis <Ed.Lewis@neustar.biz> said:

Edward> I realize this doesn't answer the question "did the group?":

Edward> Isn't everything subject to local policy?  (I think so.)  For
Edward> the sake of interoperability, is this important?  (I don't
Edward> think so.)

Edward> Therefore I my opinion is that it should be SHOULD.  As in a
Edward> recommendation.

Ed, I think the wording issues that Chris pointed out were the real
issue.  Thus the new text I think fixes your problems:

      <t> Validator implementations MUST be able to ignore DS RRs
	containing SHA-1 digests if DS RRs with SHA-256 digests are
	present in the DS RRset. This behavior SHOULD be the default.
	Validator implementations MAY provide configuration settings
	that allow network operators to specify preference policy when
	validating multiple DS records containing different digest
	types.</t>

It was unclear from both you and David if the MUST you had issues with
was in relation to the ability or the default (since the original
sentence sort of implied both).  The above means the ability must be
there (which I think the WG previously agreed upon) but only SHOULD be
on by default and MAY be configurable.  That actually leaves room for
implementations to do whatever they want (which I'm not sure is good
since they can prefer SHA-1 over SHA-256 without configuration to do
otherwise, but hey...)

-- 
Wes Hardaker
Sparta, Inc.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>