On 30Nov 2007, at 6:43 AM, Ólafur Guðmundsson /DNSEXT chair wrote:
Please speak up if this change is of concern to you. If no one speaks up by Dec 7'th I will tell our AD the changes are fine.
So the change is that the basic-4 steps procedure was removed and replaced with text that amounts to "We'll solve this when we get to this".
For those who are not up to speed with the issue that is being addressed, the thread causing all this starts here:
http://ops.ietf.org/lists/namedroppers/namedroppers.2007/msg00553.htmlTo me it is clear that the current text postpones dealing with the problem that starts with the premisses in Sam Weiler's observation: "but we aren't (as far as I can tell) requiring that an NSEC3- SHA256-capable resolver also support NSEC3-SHA1"
If the requirement to support old algorithms would exist, then the rollover is one that we currently understand.
Personally I could imagine that the introduction of a new hashing algorithm would be able to deal with that requirement: If all else fails using the blunt instrument of a flag date. Hopefully there is a more elegant way. Finding resolvers not supporting the old algorithm is unlikely but I appreciate the fact that a corner case remains a corner case and will need to be dealt with.
Anyhow, as far as I am concerned, this is a corner case that can be dealt with later. The current text does sufficiently flag this is an issue and I am confident there is at least one blunt way to solve the issue.
In other words I am supportive of this change. No hats. --Olaf ----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/
Attachment:
PGP.sig
Description: This is a digitally signed message part