--On 17 December 2008 10:25:29 -0500 Edward Lewis <Ed.Lewis@neustar.biz> wrote:
Implementations that support RSA/SHA-2 algorithms SHOULD also implement NSEC3 denial of existence [RFC5155].I agree with Alex that if we go with option 2 below, that SHOULD would have to be changed to MUST to keep it consistent.The problem with that is the scope of the requirement. Why would an authoritative name server implementation have to comply with RFC 5155 because it wants to use RSA/SHA-2(56)? (Assuming there is no requirement for RFC 5155 in the intended market for the server.) I could see "Implementations of DNSSEC validators MUST" - provided we have defined what a "DNSSEC validator" is.
My proposal, in the event we go with option 2, was to move the 'SHOULD' recommendation from 5.2 (servers and validators) to 5.2.1 (servers) , as 5.2.2 (validators) already contains a 'MUST' for this. This was to address the confusion of there being a SHOULD and a MUST for the same thing for validators. Or are you arguing that in option 2 there should not even be a "SHOULD" for servers? Alex -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>