[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Q2: crypto algorithm requirements for DNSSEC
Hello Derek--
Derek wrote:
> I don't think anyone has argued that leaving DSA as a "must implement"
> is over-engineering. I _believe_ that the arguments have been that
> specifying that operationally you MUST USE both RSA _AND_ DSA in your
> zone is over-engineering.
Well, okay, but I don't think that was the question Scott originally
posed:
> There has been previous talk on this list regarding dropping DSA as a
> mandatory to implement algorithm. Instead of writing a whole RFC just to
> propose making DSA optional and RSA/SHA1 the only required algorithm, it
> would be nice to seek consensus here.
[Table and other discussion elided]
> Q: Is the change of DSA to OPTIONAL acceptable? That will leave only
> RSA/SHA1 as the only mandatory to implement algorithm.
I agree that any requirement that folks MUST USE both RSA and DSA (must
sign each record with both) is over-engineering, and actually provides
no added security while having a significant operational cost (sorry,
have to disagree with Mark A. on this one).
I don't think that's what Scott originally asked, though, which is why
I piped up in the first place. Did I miss something?
--Rip
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>