Hi Mike,
On 8/8/25 21:02, Michael StJohns wrote:
* Deprecated processing treats the deprecated records as if they were
unsupported, with the single exception that a DNSSEC delegation into a zone
that consists only of SHA1 dependent DS records (e.g. no other delegations to
the domain using non-SHA1 algorithms) is treated as if it were a secure
delegation to an insecure zone.
What does this mean? ("secure delegation to an insecure zone")
* Strict processing treats the deprecated records as if they were unsupported. A
zone delegation using only unsupported algorithms is treated as Bogus per <<
ref>>.
If a validator does not support the (only) algorithm used by a zone, then the
zone is insecure, not bogus.
Best,
Peter
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
