Petr Menšík <[email protected]> wrote: > I want to optimize clients to receive, cache and distribute only signatures > used by someone. Current DNSSEC protocol forces clients to receive all > unknown algorithms authoritatives have. Even if they are able to signal they > won't use them or don't trust them.
What I'm hearing is that even if you receive the extra signatures, you'd like
to only cache ones you can understand, and then only answer with that smaller
set.
I think the answer side is a problem, but I don't think the cache side is a
problem.
...
> Every client should receive only the best signature possible per record.
It
> may receive more, if some of its clients need something different. Without
> getting less secure, it should use only actually used RRSIGs.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
