> On 15 Nov 2025, at 06:03, Philip Homburg <[email protected]> wrote: > > In your letter dated Fri, 14 Nov 2025 18:06:05 +0000 you wrote: >> Code points 253 and 254 are PRIVATE*. This is the issue we're talking >> about, and the reason the change is needed. >> >> If you have a DS record with 253 in its algorithm field, you have not >> specified the key algorithm. The DNSKEY RRset may contain any number of >> keys with algorithm 253, all with different algorithms, because when that >> code point is in use, the algorithm is encoded into the key data, not the >> algorithm field. > > Using a private hash algorithm (as opposed to the PRIVATE* signature > algorithms), this draft can be implemented without a standards track > RFC.
No, it can’t be. Those are only safely useable in a closed environment as there is no co-ordination over their content. PRIVATEDNS and PRIVATEOID are designed to be used over the public internet. This is achievable because identifiers in the DNSKEY and RRSIG records leverage the DNS and OID registration schemes to provide uniqueness. > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
