> But if, as part of testing new PQC algorithsm, one really does want > to exercise the full DNSSEC state-machine, including use of DS RRs > for downgrade-resistant signalling of support for particular > algorithms, then Mark's proposal seems to make sense, and does not > appear to impose any burden on implementations that don't support > PRIVATE algorithms.
I think in case of PQC experiments the following holds true: - DNSOP is considered overloaded. - A draft for a standards track RFC should have a strong argument why this change is needed. - There are 2 code points for private DS algorithms that could be used to implemented what is described in this draft. So I think is on the PQC experiments to describe why using one of those code points for private hash functions is not enough to conduct the experiment. Just saying that new standard hash functions (which are completely different from the behavior of any of the current hash functions) do not 'appear to impose any burden on implementation [...]' is not enough. In my opinion, PQC experiments should use SHA-256. However that discussion is less relevant at the moment. Any experiment that wants to use a different hash function can just use a code point for private hash functions. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
