Hi Philip,
On 10/25/25 21:37, Philip Homburg wrote:
We'd like to hear both support for and technical objections to the
Nutshell Proof of Sanity, so we can put subsequent work on more
solid footing.
The 'Nutshell Proof of Sanity' is trivially true with the current
DNSSEC validation rules. If a validator does not support
certain algorithms and it comes across a DS RRsets that consists of
only unsupported algorithms then the validator treats the child
zone as insecure.
The 'Nutshell Proof of Sanity' states that same thing for a more
narrow set of algorithms (only those that must be implemented by
validators) where the current rules apply to all algorithms.
However, I don't see how this 'Nutshell Proof of Sanity' can be applied
to the topic at hand. Direct application of the proof would make
RSA/SHA1 a universal algorithm.
No; for the application of that proposed behavior, there would have to be some
consensus about which algorithms are mainstream (universal) in that sense.
When/how/whether that can be achieved is a different question. The authors
currently only want to assess the WG's position on the general line of thinking
expressed in the Sanity tl;dr section.
(Related: draft-crocker-dnsop-dnssec-algorithm-lifecycle)
As far as I know, the previous discussion was about FORMERLY-UNIVERSAL
algorithms. I now think that 'FORMERLY-UNIVERSAL' is the wrong concept.
It is not that the rules for FORMERLY-UNIVERSAL are wrong, it is that
FORMERLY-UNIVERSAL is the wrong way to classify algorithms that were
once UNIVERSAL.
Maybe; I'd prefer to not argue about particular ways for categorization just yet. Let's first
resolve primary question above. (For this reason, the tl;dr does not use the term "(formerly)
universal" etc.) Let's talk about the "how" later.
Best,
Peter
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
