On Jul 8, 2025, at 12:52, Tim Wicinski <[email protected]> wrote: > Under "Security Considerations", in the section "DNS Spoofing and DNSSEC > Validation", the current text is not precise enough. > > Current: > > DNSSEC validation SHOULD be performed by Application Service Providers that > verify Validation Records they have requested to be deployed. > > Suggested: > > DNSSEC validation MUST be performed by Application Service Providers that > verify Validation Records they have requested to be deployed. A "Bogus" or > "Indeterminate" result (as defined in [[RFC4033]]) MUST NOT be accepted. A > "Secure" or "Insecure" result SHOULD be accepted.
This requires that the target zone must sign with signatures that are the ones being validated. If the ASP only trust RSA and ECDSA, and the target zone is signed with EdDSA, the user cannot achieve DCV and probably cannot determine why it is failing. This does not feel like a best practice. --Paul Hoffman _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
