> So again, MUST NOT is the right choice. I'm going to write tests for > Knot Resolver to ensure we never set AD bit for zones signed using MD5. > Right now.
If you want to accomplish this, why not actually follow the MUST NOT and remove MD5 support so it is treated as unsupported algorithm and also won't get an AD bit? That way your code has no MD5 specific handling. Also, as PaulH reminded people, MD5 != HMAC_MD5 and I'd be shocked to see a forged MD5 signature. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop