> > Using a private hash algorithm (as opposed to the PRIVATE* signature > > algorithms), this draft can be implemented without a standards track > > RFC. > > No, it cant be. Those are only safely useable in a closed environment > as there is no co-ordination over their content. > > PRIVATEDNS and PRIVATEOID are designed to be used over the public > internet. This is achievable because identifiers in the DNSKEY > and RRSIG records leverage the DNS and OID registration schemes to > provide uniqueness.
In my opinion this is a very strong anti-pattern. It is not good for the state of DNSSEC if a signed zone is considered secure by one validator and not by another. That leads to fragmentation, make security analysis harder. For this reason we carefully manage the RECOMMENDED and MUST Implement status of algorithms to make sure that validators support an algorithm before it is recommended to use it in production. Obviously, private code points are fine for development and experimenting. And having private code points for isolated networks is fine to avoid conflicts with public use. So in my opinion DNSOP should not work on a draft that tries to improve the use of private algorithm in production on the public Internet. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
