[Dnssec-deployment] cases - was Re: Barbie sez: "Algorithm rollovers are HARD!"

Tony Finch dot at dotat.at
Tue Aug 17 09:35:43 EDT 2010


On Tue, 17 Aug 2010, Edward Lewis wrote:
>
> The cache has:-->    old-alg-only        both-alg-keys         new-alg-only
>
> The cache gets-v
>
> Old sig only              I                   II                  III
>
> Both sigs                 IV                   V                   VI
>
> New sig only             VII                 VIII                  IX
>
> Case I, II, IV, V, VI, VIII, IX are no problem, right?

Cases II and VIII must cause a validation failure since every RRset must
be signed by every algorithm.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
HEBRIDES: WEST BACKING SOUTH, BECOMING VARIABLE LATER, 3 OR 4. MODERATE OR
ROUGH. SHOWERS. MODERATE OR GOOD.


More information about the Dnssec-deployment mailing list