[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnsext] RSA/SHA2 new NSEC3 text proposal

To: namedroppers@ops.ietf.org
Subject: Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
From: Scott Rose <scottr@nist.gov>
Date: Wed, 17 Dec 2008 13:17:16 -0500
In-reply-to: <a06240800c56ec8c9f56f@[192.168.1.103]>
Organization: NIST
References: <49477F09.90009@NLnetLabs.nl> <4948FC79.9060708@nist.gov> <a06240800c56ec8c9f56f@[192.168.1.103]>
User-agent: Thunderbird 2.0.0.6 (X11/20070728)

Edward Lewis wrote:
> At 8:19 -0500 12/17/08, Scott Rose wrote:
> 
>>>     Implementations that support RSA/SHA-2 algorithms SHOULD also
>>>     implement NSEC3 denial of existence [RFC5155].
>>>
>>
>> I agree with Alex that if we go with option 2 below, that SHOULD would
>> have to be changed to MUST to keep it consistent.
> 
> The problem with that is the scope of the requirement.  Why would an
> authoritative name server implementation have to comply with RFC 5155
> because it wants to use RSA/SHA-2(56)?  (Assuming there is no
> requirement for RFC 5155 in the intended market for the server.)
> 
> I could see "Implementations of DNSSEC validators MUST" - provided we
> have defined what a "DNSSEC validator" is.

I always assumed "validator" as used in RFC 4033.  But I see your point
about "implementations"  be too broad.  Perhaps having that statement
only refer to validator implementations?

Scott
-- 
----------------------------------------
Scott Rose            Computer Scientist
NIST
ph: +1 301-975-8439
scott.rose@nist.gov

http://www-x.antd.nist.gov/dnssec
http://www.dnsops.gov/
-----------------------------------------

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- [dnsext] RSA/SHA2 new NSEC3 text proposal
  - From: Jelte Jansen <jelte@NLnetLabs.nl>
- Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
  - From: Scott Rose <scottr@nist.gov>
- Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
  - From: Edward Lewis <Ed.Lewis@neustar.biz>

Prev by Date: Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
Next by Date: [dnsext] Protocol Action: 'Measures for making DNS more resilient against forged answers' to Proposed Standard
Previous by thread: Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
Next by thread: [dnsext] Protocol Action: 'Measures for making DNS more resilient against forged answers' to Proposed Standard
Index(es):
- Date
- Thread