Re: [dnsext] Clarifying the mandatory algorithm rules

[Jelte Jansen <jelte@isc.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/22/2010 09:53 AM, Matthijs Mekking wrote:
> 
>> If it is the DS set that specifies which algorithms are used, you either have to
>> have both algorithms in that set at one point, or have the zone fully signed
>> with both algorithms. But if you have both DS's in there, and the zone itself
>> signed with only one, it'll be bogus for validators that only support the other
>> algorithm.
> 
>> But I now notice that the current draft for 4641bis says not to do pre-publish
>> rollover when switching algorithms, only double signature, so that's ok :)
> 
> Actually, you cannot even do pre-publish algorithm rollover. In order to
> introduce the new algorithm at the parent, you need to fully sign your
> zone with that algorithm. Effectively, it becomes a double-signature
> rollover.
> 

That's what I was saying; for algorithm rolls: pre-publish bad, double sig good.


>> The part about adding signatures first could probably be removed if 4035 is
>> clarified (changed, depending on one's POV ;) ) that it is the DS set and not
>> the DNSKEY set that one should check for algorithm support.
> 
> You would still need to pre-publish signatures if you want to support
> RFC 5011 (because you have no method to delay adding this trust anchor
> until the zone is fully signed with the new algorithm).
> 

I was trying to carefully tread around the trust-anchor thing until the point
above was cleared out :) But I'm not sure at all why this is (or should be)
different (except that it could take longer)

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzqOLIACgkQ4nZCKsdOncXCjACgxq14jNd90u1BfwGXdRZefxiJ
35gAnA3XZHAVFDKriFQWXDwqrQ/f+UIP
=dHsn
-----END PGP SIGNATURE-----