At 8:19 -0500 12/17/08, Scott Rose wrote:
Implementations that support RSA/SHA-2 algorithms SHOULD also implement NSEC3 denial of existence [RFC5155].I agree with Alex that if we go with option 2 below, that SHOULD would have to be changed to MUST to keep it consistent.
The problem with that is the scope of the requirement. Why would an authoritative name server implementation have to comply with RFC 5155 because it wants to use RSA/SHA-2(56)? (Assuming there is no requirement for RFC 5155 in the intended market for the server.)
I could see "Implementations of DNSSEC validators MUST" - provided we have defined what a "DNSSEC validator" is.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Never confuse activity with progress. Activity pays more. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>