On Tue, Nov 11, 2025 at 10:17:44AM +0100, Philip Homburg wrote: > I'm looking at it from the point of view of implementations that currently > have no support for PRIVATE* but may get used for PQC experiments. > > Adding new DS hash functions that need to be implemented by those > experiments does not help for that use-case.
If a DS RRset contains only new and unknown hash algorithm code points, then the delegation is treated as insecure, I believe. And, if there are two DS records for the same key, one with each of the old and new hash code points, then an older validator would use the old hash format, and behave exactly as it does now. Meaning, if the validator has no PRIVATE* support, it would fail to recognize the DNSKEY algorithm 253 or 254, so that delegation would also be treated as insecure. The only tricky case is a validator that knows about PRIVATE* but doesn't know the new hash code points. -- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
