IETF Logo Mail Archive

[DNSOP] Re: The conservative approach and the liberal approach for DNSSEC algorithm rollover

Frederico A C Neves <fneves@registro.br> Tue, 12 May 2026 14:49 UTC

Return-Path: <fneves@registro.br>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 38E05ED255C5 for <dnsop@mail2.ietf.org>; Tue, 12 May 2026 07:49:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1778597370; bh=UKmBtIG9OgCwZek0bsBinr6sredhah0baGsMeqUR7VE=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=xzEDfdc3Wo6m3joZ5OZdGfzlgK+DiXs63B9ExndneSyupXdpWW0yoNnTf/2T8fES2 AhyxdpbwjC/zWOsdvtlJZXTRt2WRipLEb4PV1UBMH3SH2HeHPec5ptZ34Pyg/dRdtY aDQy9tOonNa7F89EvDWg+54FubbuIbbDeZmmacak=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=registro.br
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j-fYyZG6wcko for <dnsop@mail2.ietf.org>; Tue, 12 May 2026 07:49:25 -0700 (PDT)
Received: from clone.registro.br (clone.registro.br [200.160.2.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8EAEDED255BB for <dnsop@ietf.org>; Tue, 12 May 2026 07:49:25 -0700 (PDT)
Received: by clone.registro.br (Postfix, from userid 1000) id 4764D4D559; Tue, 12 May 2026 11:49:17 -0300 (-03)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=registro.br; s=clone; t=1778597357; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Tue875an3MJvNdVbJf2cXlpiQtfC6bEKfr4/enLmBdU=; b=SNkJkTKrB3YQRRS7hVOL4X37AycOtA5hxvHvW9cDojprXnDV+F4kLy2M64HDw8484g+THB XttRctVvEPVUslQmgN0JGlStk9BJCNBVcLAflmRzPaPD1HhV9AMeF7YQaSLlGoLIfqQ92M kv3SoowBdFETf0B5RJEInJ8U6puJvIJy+VvUE7LQ5Ei7g7FSiHZfgoh9nINVDXLMiasudf qNjUrolP+JB1V3JzOc8LJ+kAxZLeMR66eVKJaSs/NmrYLGkZXNayGjsVyeIA2tKL6sk6yt NSlsKh8tlLlV4eEfyT8OEnClVA3wNhhTkMah4Gx+UrX4YcruYHK8WYVsH7BOYQ==
ARC-Seal: i=1; s=clone; d=registro.br; t=1778597357; a=rsa-sha256; cv=none; b=jghSqfMVzEjbQQF36Zz9Q15eCUpeqSGgpudzAAYBWE/bGzx7cmt5bKAPrEElJUr2wH8r0n mHNvVryqHa/JOKHFVFoWZB5+ybuistDur6DVCTzD7GqaqZN3SXh1mQItJ89ZdirnF3YGto iblcEa8ntq4+9kPbabq+mO64URy3JaFzEatUUMDj8UyWT4RR8SIQRAv+iqFTFufuyUM+Pm 15pxtcub4Ml3JAnOjLxS/EZEI06VZ3y7MIpr6taO4Wkw3TCIclp3TttmR1mBwf8TUnoqEx y/0Ds1Zr1wDUkRIcD53CZ21YRNwrYuTDg6SS8iKNBxmBkJ5SkPt5sweMaPS9Cw==
ARC-Authentication-Results: i=1; clone.registro.br; none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=registro.br; s=clone; t=1778597357; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Tue875an3MJvNdVbJf2cXlpiQtfC6bEKfr4/enLmBdU=; b=eQ7vkigq4dmBcPzAzCCYHhqetSrK4+Ib8g+/QMrXOuyQX2KieszJWlaKheEiz9eEewKMfz elqlNHO9PryQ5db8leJrQYT4kbUZiWkyxn3fgaCMHFGrJ6zYTL7166Mv6RRLDcnDjpPApE dDihBsZP4xOcdUofGz4kI07/YYqZZXZwylt24K+Vo3SaZGfGeoo3QtLrfxn3AsaLUn84nU AZyLEucSng3zioZylav5tqE7ko897sZJ/9iotRqKgDicqvpjsmM6rY29v9Sx2YrwWnIXc9 CicQKE9F3re9fqfTlEqdd6DEwkMO51DS/z8v4+RXr7waXjQr55TKXahOc/+45Q==
Date: Tue, 12 May 2026 11:49:17 -0300
From: Frederico A C Neves <fneves@registro.br>
To: Libor Peltan <libor.peltan=40nic.cz@dmarc.ietf.org>
Message-ID: <agM97XwTCU5TvXar@registro.br>
References: <57c4f22.390be.19e1b8328d2.Coremail.scooct@163.com> <5f9c95b0-6667-4e1a-8057-7940373b061b@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5f9c95b0-6667-4e1a-8057-7940373b061b@nic.cz>
X-Rspamd-Queue-Id: 4764D4D559
X-Rspamd-Server: clone.registro.br
X-Spamd-Result: default: False [-0.80 / 15.00]; BAYES_HAM(-0.70)[83.32%]; MIME_GOOD(-0.10)[text/plain]; MISSING_XM_UA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_ZERO(0.00)[0]; ARC_NA(0.00)[]; NEURAL_HAM(-0.00)[-1.000]; ARC_SIGNED(0.00)[registro.br:s=clone:i=1]; FREEMAIL_ENVRCPT(0.00)[163.com]; TO_DN_ALL(0.00)[]; FREEMAIL_CC(0.00)[163.com,ietf.org]; DKIM_SIGNED(0.00)[registro.br:s=clone]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_THREE(0.00)[3]
X-Rspamd-Action: no action
Message-ID-Hash: 2MQ6STPX6SXL4D4CHJHE5QMTE4WOAB6A
X-Message-ID-Hash: 2MQ6STPX6SXL4D4CHJHE5QMTE4WOAB6A
X-MailFrom: fneves@registro.br
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Cathy Zhang <scooct@163.com>, dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: The conservative approach and the liberal approach for DNSSEC algorithm rollover
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vTA7PtoTr_toRZgugHBoL3RGYTg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Tue, May 12, 2026 at 04:31:22PM +0200, Libor Peltan wrote:
> Hi Cathy,
> 
> it is slightly puzzling me that one RFC (6781) encourages "loose
> interpretation" (in fact, violation) of another RFC (4035).
> 
> I'd stick with what is called the "conservative approach" , until
> draft-huque-dnsop-multi-alg-rules makes it to RFC (I wish!).
> 
> Libor
> 
> On 12. 05. 26 11:27, Cathy Zhang wrote:
> > Hi all,
> > RFC 6781 defines two modes for algorithm rollover: the conservative approach and the liberal approach.
> > And the relevant description is given on page 29 of RFC 6781 as follows:
> >     However, there are implementations of validators known to follow the
> >     more conservative approach.  Performing a Double-Signature KSK
> >     algorithm rollover will temporarily make your zone appear as Bogus by
> >     such validators during the rollover.  Therefore, the rollover
> >     described in this section will explain the stages of deployment and
> >     will assume that the conservative approach is used.
> > Is this distinction still necessary today, or is it possible to
> adopt the same approach as for ZSK/KSK rollover?

Since at least 2017 many TLDs have done algroll using the liberal
approach.

The presentations bellow illustrate our journey on how to do it
safely. The first one has the root of the question based on the
events that happened in Jan/2011.

https://indico.dns-oarc.net/event/28/contributions/513/attachments/487/794/algorith-rollover-approach.pdf

https://icann-hamster.nl/ham/soac/ssac/dnssec/icann62/br%20DNSSEC.pdf

To answer your question in our experience today you could follow the
liberal approach quite safely.

> > BR,
> > Cathy

Fred

v2.46.0 | Report a Bug | By Email | System Status