IETF Logo Mail Archive

[DNSOP] The conservative approach and the liberal approach for DNSSEC algorithm rollover

Cathy Zhang <scooct@163.com> Tue, 12 May 2026 09:27 UTC

Return-Path: <scooct@163.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E2FA1ECFCA20 for <dnsop@mail2.ietf.org>; Tue, 12 May 2026 02:27:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1778578066; bh=bRpViOpmg0B7s4VvYt7ISW/GeOOrtTgsw++GzMaFp4A=; h=Date:From:To:Subject; b=qcl+9KDONtxaDt8FigMDcKCeYAK6hViCcgwZctdvyhvSL/cTbiku08tqXLZKrbI/e qrynxGTimN+zmcoxZnjJKTRdQAkG82IB7o9DM2J4o+84F1qQNx6d7h6FkpXrgFzsdz PmGvtU3uVTY+P7J3yaUZUE6pwSiNaoOlWoQLb7ws=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=163.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1W2v74xFnTnh for <dnsop@mail2.ietf.org>; Tue, 12 May 2026 02:27:42 -0700 (PDT)
Received: from mail-proxy49138.mail.163.com (mail-proxy49138.mail.163.com [45.254.49.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 99BEEECFC6E2 for <dnsop@ietf.org>; Tue, 12 May 2026 02:27:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=Date:From:To:Subject:Content-Type:MIME-Version: Message-ID; bh=bRpViOpmg0B7s4VvYt7ISW/GeOOrtTgsw++GzMaFp4A=; b=k UzAgSNsfa7+2SMjYXy0WHDdYfsPhGsmodQR6DuAElA4e04P6yK3xSqZqjcrzPyhl IKuDMtxM1u6ScrHrMHAc1sHgKKmd5TkJcjCM39e/R49NxtA77RyBxT8Ya6D/2GdM 6b9pGO3xQiEkZqm35yik/N00/lwg/lhpnybFVMj2GA=
Received: from scooct$163.com ( [240e:404:3210:647f:9841:2999:6cbc:4477] ) by ajax-webmail-wzpm-k8s-gz (Coremail) ; Tue, 12 May 2026 17:27:21 +0800 (GMT+08:00)
X-Originating-IP: [240e:404:3210:647f:9841:2999:6cbc:4477]
Date: Tue, 12 May 2026 17:27:21 +0800
From: Cathy Zhang <scooct@163.com>
To: dnsop <dnsop@ietf.org>
X-Priority: 3
X-Mailer: Coremail Webmail Server Version 2023.4-cmXT build 20250911(16116b36) MailMasterIOS/7.25.9.2233_(26.3) Copyright (c) 2002-2026 www.mailtech.cn 163com
X-CM-CTRLMSGS: yafn6nRyYWNlQXR0Q250PTA=
X-NTES-SC: AL_Qu2cCvmct0gv5yCZYukfmk8aj+86WMOwvv0g34FVOJF8jAPp5A0YRVBfHX3O/OStMhKmviK5dDVF1NZQUqp6f7IB8UsWotmrwGHp9rt7MTk3NA==
Content-Type: multipart/alternative; boundary="----=_Part_920591_1056738601.1778578041026"
MIME-Version: 1.0
Message-ID: <57c4f22.390be.19e1b8328d2.Coremail.scooct@163.com>
X-Coremail-Locale: zh_CN
X-CM-TRANSID: _____wD3fxp58gJqEj4ZAA--.22571W
X-CM-SenderInfo: 5vfr0urw6rljoofrz/xtbC5Bn1AmoC8nmhdAAA38
X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU==
Message-ID-Hash: Z24ZZAJTELGSURX3EW7JSHTWRWIGLGTM
X-Message-ID-Hash: Z24ZZAJTELGSURX3EW7JSHTWRWIGLGTM
X-MailFrom: scooct@163.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] The conservative approach and the liberal approach for DNSSEC algorithm rollover
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pevao9GccPxADFy8nkZIOhpj9J0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi all,RFC 6781 defines two modes for algorithm rollover: the conservative approach and the liberal approach.And the relevant description is given on page 29 of RFC 6781 as follows:   However, there are implementations of validators known to follow the   more conservative approach.  Performing a Double-Signature KSK   algorithm rollover will temporarily make your zone appear as Bogus by   such validators during the rollover.  Therefore, the rollover   described in this section will explain the stages of deployment and   will assume that the conservative approach is used.Is this distinction still necessary today, or is it possible to adopt the same approach as for ZSK/KSK rollover?BR,Cathy

v2.46.0 | Report a Bug | By Email | System Status