On Thu, Jul 20, 2017 at 10:45 AM, Shumon Huque <shu...@gmail.com> wrote:
> On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson < > ola...@cloudflare.com> wrote: >> >> >> I disagree, if a zone operator selects "less-than" common algorithm they >> do that at their own risk, >> if the risk is not acceptable then it should dual sign.... >> > > Yes. The point I was trying to make is that DANE sites (and probably > others if they care about security) cannot afford to fail open. So they > have to dual sign if they can stomach the costs, or delay deploying new > algorithms for a long time. This draft is intended to (eventually) make the > dual signing case easier to deal with operationally. > The point I'm making is that the proposed medicine is worse than the ailment. Olafur
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
