Re: [DNSOP] Would you please review our draft on deploying new DNSSEC crypto algorithms?

Admittedly having not read past the abstract and responding to Scott's message - Scott is right on a point I think is underplayed. The protocol parameter registry is titled "DNS Security Algorithm Numbers", see:

Re: [DNSOP] Would you please review our draft on deploying new DNSSEC crypto algorithms?

I have read the draft and support it being made into a WG document. I do have some minor comments - none that change the tone of the document: 1. Introduction 5th paragraph “DNSSEC algorithms are used…” Probably should be “DNSSEC registered algorithms…” There are no crypto algorithms that

Re: [DNSOP] Would you please review our draft on deploying new DNSSEC crypto algorithms?

Mark, At 2016-11-25 15:45:08 +1100 Mark Andrews wrote: > > > > Sorry for being stupid and ignorant here, but again, is there an RFC > > which says you need multiple signatures? > > Yes. RFC4035 and RFC6840. Note the words "entire zone". You can't > have two algorithm is use

Re: [DNSOP] Would you please review our draft on deploying new DNSSEC crypto algorithms?

In message <20161125115823.747eb...@pallas.home.time-travellers.org>, Shane Ker r writes: > Mark, > > At 2016-11-16 08:39:37 +1100 > Mark Andrews wrote: > > > In message <20161116000530.19ed4...@pallas.home.time-travellers.org>, > Shane Kerr writes: > > > Dan, > > > > > > At

Re: [DNSOP] Would you please review our draft on deploying new DNSSEC crypto algorithms?

Mark, At 2016-11-16 08:39:37 +1100 Mark Andrews wrote: > In message <20161116000530.19ed4...@pallas.home.time-travellers.org>, Shane > Kerr writes: > > Dan, > > > > At 2016-11-15 12:41:01 + > > Dan York wrote: > > > The draft is at either of: > > > > > >

Re: [DNSOP] Would you please review our draft on deploying new DNSSEC crypto algorithms?

> On Nov 24, 2016, at 01:05, Matthijs Mekking wrote: > > In section 2.1.1 there is a note on an in 2016 standards non-compliant > resolver. Having RFCs (to be) note that other RFCs are not safe to assume its > implemented is a bit ridiculous to me. It is a given that

Re: [DNSOP] Would you please review our draft on deploying new DNSSEC crypto algorithms?

Dan, I read your draft and I have a concern. The document makes a lot of observations about the current state of DNSSEC implementation, so I am afraid that this publication gets outdated quickly. So I do think it's a good idea to highlight which pieces in the DNS infrastructure needs

Re: [DNSOP] Would you please review our draft on deploying new DNSSEC crypto algorithms?

In message <20161116000530.19ed4...@pallas.home.time-travellers.org>, Shane Kerr writes: > Dan, > > At 2016-11-15 12:41:01 + > Dan York wrote: > > The draft is at either of: > > > > https://datatracker.ietf.org/doc/draft-york-dnsop-deploying-dnssec-cryptoalgs/ > >

Re: [DNSOP] Would you please review our draft on deploying new DNSSEC crypto algorithms?

Dan, At 2016-11-15 12:41:01 + Dan York wrote: > The draft is at either of: > > https://datatracker.ietf.org/doc/draft-york-dnsop-deploying-dnssec-crypto-algs/ > https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-04 > > Please send any comments to the

[DNSOP] Would you please review our draft on deploying new DNSSEC crypto algorithms?

As mentioned at the very end of DNSOP, Olafur Gudmundsson, Ondrej Sury, Paul Wouters and I have a draft published that aims to document the steps involved with deploying a new cryptographic algorithm for DNSSEC. The overall goal is to make it easier to get new DNSSEC crypto algorithms deployed,