On Mon, Jul 03, 2023 at 08:25:08PM +0200, Peter Thomassen wrote:
> Now, assume a multi-signer setup of, say, algorithms 7 and 13. This is
> not an uncommon transition (ietf.org did it last month, except that
> they went unsigned). In such a scenario, a resolver on Red Hat would
> only consider
> On 4 Jul 2023, at 04:25, Peter Thomassen wrote:
>
> Dear DNSOP,
>
> It's well-known that DNSSEC multi-signer setups are problematic when
> providers want to sign with different algorithms.
>
> In a hypothetical scenario where signing requirements would be relaxed, I
> have a very
The rules are there to ensure that if the resolver see an algorithm it
supports then it can validate the response. If you fail to follow the rules
answers won’t ALWAYS validate. If there is one level of validation happening
the validator should recover by trying other servers. If you have
Dear DNSOP,
It's well-known that DNSSEC multi-signer setups are problematic when providers
want to sign with different algorithms.
In a hypothetical scenario where signing requirements would be relaxed, I have
a very specific question about how resolvers should behave. Apologies for the