[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Q2: crypto algorithm requirements for DNSSEC
There is a difference between "MUST implement" and "MUST use". We
could always specify "must implement" for two algorithms, but provide
language that suggests that you should use one and should not use the
other.
-derek
Mark.Andrews@isc.org writes:
> > Counter argument is that having two algorithms means that one can be
> > attacked via a break in either algorithm.
>
> That is why the use of a particular algorithm MUST be
> selectable at runtime both in the signer and resolver. We
> already have had to withdraw one algorithm.
>
> > So, while I understand the desire to have a fallback strategy, I'm not
> > sure that we really have one whether DSA is mandatory or not.
>
> Well the choices are:
> * Immediate replacement of all resolvers.
> * Immediate disabling of a algorithm and gradual replacement
> of all resolvers.
>
> You will get *much* higher success with the second vs the first.
>
> Mark
>
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org
>
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>