[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Q2: crypto algorithm requirements for DNSSEC
Mark.Andrews@isc.org writes:
> > There is a difference between "MUST implement" and "MUST use". We
> > could always specify "must implement" for two algorithms, but provide
> > language that suggests that you should use one and should not use the
> > other.
>
> The problem is that if you don't sign with both you can't
> easily withdraw one of them when you need to. The resolver
> can protect itself if both signatures are there. It can
> simple choose to ignore one of them. If they are both not
> there then it doesn't get this choice and you will get dead
> branchs as a result.
So you re-sign your zone. You have to re-sign it periodically
anyways, so what's the big deal? Why have twice the data and perform
twice the work on the miniscule chance that one of the algorithms will
be broken during the time your signatures are valid?
From a security viewpoint, you want the code deployed to allow you to
quickly move from one algorithm to another -- but that does *NOT* mean
that you need to use (or WANT to use) both algorithms for all your
data all the time.
> Manditory to implement also applies to signing. You havn't
> implemented if you are not using it.
I completely disagree. You can implement something but not use it.
> Mark
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>