On Sun, Nov 16, 2025 at 11:44:35AM +0100, Philip Homburg wrote: > In my opinion this is a very strong anti-pattern. It is not good for the > state of DNSSEC if a signed zone is considered secure by one validator > and not by another. That leads to fragmentation, make security analysis > harder.
That's how DNSSEC works, though. A zone signed by an unknown algorithm is treated as if it were not signed. Any new or experimental algorithm will produce a signed zone that looks insecure to older validators, it's always been that way. > For this reason we carefully manage the RECOMMENDED and MUST Implement status > of algorithms to make sure that validators support an algorithm before it > is recommended to use it in production. Mark said "used over the public internet", not "recommended for use in production". An experimental algorithm obviously can't deployed for production use yet, but that doesn't mean experiments should fail. Currently, PRIVATE* algorithms do not work correctly: they require klugey workarounds that change the way validators behave, throwing unnecessary variables into the testing process. It was a design flaw to have DS records that fail to identify the signing algorithm in the keys they digest. -- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
