[dnssec-deployment] [smb at cs.columbia.edu: how to phase in new hash algorithms?]
weiler+lists.dnssec-deploy at watson.org
Tue Mar 22 12:22:17 EST 2005
> Thanks for the clear explanation of algorithm roll over. Since this is
> one of the Issues we have listed, let me ask you to write this up in
> Issue format so we can post it and mark it closed. This will make it
> easy for someone to read what the issue is and how it's been resolved.
I think the best person for writing up an Issue is the person who
raised it. Among other things, that ensures that the public
documentation (RFC's, i-d's, etc.) is sufficiently clear and that the
matter has actually been throughly reviewed (and understood) by more
than one person.
> I think there is a small detail to make clear that when a new algorithm
> is introduced, it needs to be implemented by the resolvers before it can
> be used, so there's a phased roll out required whenever new algorithms
> are introduced.
I'm not sure I'm following exactly what you're saying here. Why can't
a new algorithm be used even though NO resolvers implement it? And
while there are reasons for wanting to slowly phase out old
algorithms, it may be desirable to immediately remove (DS records
referring to) it if it's known to be broken.
Again, if there's something that's unclear in the public
documentation, we need to know that, and I think clarifying the public
documents is a far more important task than clarifying this group's
More information about the Dnssec-deployment