Late to the party, I am sorry. I am positive about this document, and support publication. I do have one comment on the document, requesting an update.
In section 4 it is said it is RECOMMENDED that providers use a common signing algorithm. I think this is too weak and it must be a MUST. The reason given for RECOMMENDED is that the "liberal approach" works. The liberal approach says that authoritative zones MUST sign RRsets with every algorithm in the DNSKEY RRset, but validating resolvers don't have to enforce this requirement. However, that does not mean the authoritative server can simply ignore this rule. Also, if two different providers are using different algorithms, that means two DS records with different algorithms are distributed to the parent. And now the algorithm is signaled in the parent and a validator may execute the multiple algorithms protection check, expecting both chain of trusts to work. In other words, please adapt section 4 to be more strict when it comes to multiple algorithms. If you agree, I am happy to provide the suggested text. Again my apologies for bringing this up so late. Best regards, Matthijs On 10/31/19 4:47 PM, Tim Wicinski wrote: > > This starts a Working Group Last Call for > draft-ietf-dnsop-multi-provider-dnssec > > Current versions of the draft is available here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-multi-provider-dnssec/ > > The Current Intended Status of this document is: Informational > > FYI, I will not shepherd this document, as it was written with several > of my coworkers. > Benno Overeinder will be Document Shepherd. > > Please review the draft and offer relevant comments. > If this does not seem appropriate please speak out. > If someone feels the document is *not* ready for publication, please > speak out with your reasons. > > If there are normative issues, agenda time at IETF106 will be set aside > to address them > > This starts a two week Working Group Last Call process, and ends on: 15 > November 2019 > > thanks > tim > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
