On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson <ola...@cloudflare.com> wrote: > > > I disagree, if a zone operator selects "less-than" common algorithm they > do that at their own risk, > if the risk is not acceptable then it should dual sign.... >
Yes. The point I was trying to make is that DANE sites (and probably others if they care about security) cannot afford to fail open. So they have to dual sign if they can stomach the costs, or delay deploying new algorithms for a long time. This draft is intended to (eventually) make the dual signing case easier to deal with operationally. -- Shumon Huque
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
