IETF Logo Mail Archive

[DNSOP] Re: The conservative approach and the liberal approach for DNSSEC algorithm rollover

Cathy Zhang <scooct@163.com> Wed, 13 May 2026 01:04 UTC

Return-Path: <scooct@163.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8D5E3ED6E85E for <dnsop@mail2.ietf.org>; Tue, 12 May 2026 18:04:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1778634283; bh=nQlMOzRGcEhNziORufXMwaC5cNASuA67/zMo1ZuBROY=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=k0rTfhoziIot12NkNkdqWhTW8BCow1alkcsV09ADZTzOxHhprvmZxrb80q/eBCZ6N nk1ukgfb9QWABMGnc6h1ij0o+Og90PJtNUH3zys1MHUxKGYCjxMpF2Tv881ZX1Ir8r sWxCAU+tlo54YW+W4b0sF4xe0jDbQuLgezlMC8Vg=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=163.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mOPHPXfqm8X2 for <dnsop@mail2.ietf.org>; Tue, 12 May 2026 18:04:43 -0700 (PDT)
Received: from m16.mail.163.com (m16.mail.163.com [117.135.210.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 85636ED6E84D for <dnsop@ietf.org>; Tue, 12 May 2026 18:04:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=Date:From:To:Subject:Content-Type:MIME-Version: Message-ID; bh=nQlMOzRGcEhNziORufXMwaC5cNASuA67/zMo1ZuBROY=; b=B uL+yDtWPOZQQxDlUfRQSmia9EJngysymA4eNlrfyxQnUxR8wmDx3m0UIIn4RycyV oQ0L5azqCjaSp5LwZ63QlhmauRxNbjl1jgvCzpJxytghiBlvgVfZ2BiFdESYw7LF WR6kV/Q+9+huBrzX7Ovp5Rf8nGq+Pnf606IA3AsZGQ=
Received: from scooct$163.com ( [218.241.111.235] ) by ajax-webmail-wmsvr-40-107 (Coremail) ; Wed, 13 May 2026 09:04:19 +0800 (CST)
X-Originating-IP: [218.241.111.235]
Date: Wed, 13 May 2026 09:04:19 +0800
From: Cathy Zhang <scooct@163.com>
To: Libor Peltan <libor.peltan=40nic.cz@dmarc.ietf.org>
X-Priority: 3
X-Mailer: Coremail Webmail Server Version 2023.4-cmXT build 20260403(27802f6d) Copyright (c) 2002-2026 www.mailtech.cn 163com
In-Reply-To: <5f9c95b0-6667-4e1a-8057-7940373b061b@nic.cz>
References: <57c4f22.390be.19e1b8328d2.Coremail.scooct@163.com> <5f9c95b0-6667-4e1a-8057-7940373b061b@nic.cz>
X-NTES-SC: AL_Qu2cCvqYu0ou7yObYekcnk0Xgeg4WMe5u/wg1YdSc+AEnTnUwQkNcVR/NHL5+8OuIS2FvQO4ciNN48tqfY1ZtDIgdkEF/qbyyR8fTz5+7g==
Content-Type: multipart/alternative; boundary="----=_Part_11159_842476153.1778634259345"
MIME-Version: 1.0
Message-ID: <47baee1a.b92.19e1edcfb92.Coremail.scooct@163.com>
X-Coremail-Locale: zh_CN
X-CM-TRANSID: aygvCgCXhlETzgNqoQmiAA--.247W
X-CM-SenderInfo: 5vfr0urw6rljoofrz/xtbC5BMTH2oDzhML2AAA3c
X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU==
Message-ID-Hash: N2VI6OQBCDWMKZPWL2E6JUMMDTBZAAYV
X-Message-ID-Hash: N2VI6OQBCDWMKZPWL2E6JUMMDTBZAAYV
X-MailFrom: scooct@163.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: The conservative approach and the liberal approach for DNSSEC algorithm rollover
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Iv8Y8QSAdZsf0oaeAPZvU3Yf_Uo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Libor,


Thanks for your reply. 


Judging by the current RFCs, although RFC 6781 proposes two approaches, it still specifically outlines how the conservative approach should be implemented,which is compliant with RFC 4035.


Cathy



At 2026-05-12 22:31:22, "Libor Peltan" <libor.peltan=40nic.cz@dmarc.ietf.org> wrote:

Hi Cathy,

it is slightly puzzling me that one RFC (6781) encourages "loose interpretation" (in fact, violation) of another RFC (4035).

I'd stick with what is called the "conservative approach" , until draft-huque-dnsop-multi-alg-rules makes it to RFC (I wish!).

Libor


On 12. 05. 26 11:27, Cathy Zhang wrote:

Hi all,
RFC 6781 defines two modes for algorithm rollover: the conservative approach and the liberal approach.
And the relevant description is given on page 29 of RFC 6781 as follows:
   However, there are implementations of validators known to follow the
   more conservative approach.  Performing a Double-Signature KSK
   algorithm rollover will temporarily make your zone appear as Bogus by
   such validators during the rollover.  Therefore, the rollover
   described in this section will explain the stages of deployment and
   will assume that the conservative approach is used.
Is this distinction still necessary today, or is it possible to adopt the same approach as for ZSK/KSK rollover?
BR,
Cathy


_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status