Questions on the new DNSSEC spec

["Scott Rose" <scottr@nist.gov>]

While the newest version of the RR draft is being edited, there are points
that need to be agreed on before they make it into the spec.  These issues
are thought to be too minor on their own to warrant a full fledged Internet
Draft describing these changes.

Q1:  From the current discussion on name compression and DNSSEC RRs:  The
text describing the "signer's name" of the SIG RR and "next domain name" of
the NXT field should be changed along the lines of the Unknown RR types
draft.  That is, name compression MUST NOT be used in these fields when
sending on the wire, but a resolver should be able to handle name
compression in these fields if they encounter it without error.
          a.  "MUST NOT compress DNS names found in the RDATA" is the
paraphrased text in the -04 version of the unknown RRs draft.



Q2:  Crypto Algorithm status:  The new (proposed) algorithm status is -

VALUE Algorithm RFC STATUS
0             Reserved
1             RSA/MD5         NOT RECOMMENDED
2             Diffie-Hellman    OPTIONAL
3             DSA                  OPTIONAL
4             elliptic curve       OPTIONAL
5             RSA/SHA1        REQUIRED
6-251      available for assignment -
252          indirect               OPTIONAL
253          private                OPTIONAL
254          private                OPTIONAL
255 reserved

The changes are that DSA is made OPTIONAL and RSA/SHA1 is now the only
mandatory to implement algorithm.  Everything else remains as it was.


The WG needs to reach consensus on these issues, silence will be assumed to
mean that the changes are acceptable.  I don't think we need a hard deadline
on these issues, but answers ASAP please.


Scott



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>