Ticket #46 (defect)
Opened 2 years ago
Last modified 2 years ago
NSEC3 Issue 24: Significance of Algorithm Numbers
Status: new
| Reported by: | geoff | Assigned to: | roy |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | nsec3-issues | Version: | |
| Severity: | blocker | Keywords: | |
| Cc: |
Issue:
The precise meaning of algorithm numbers needs to be determined.
Discussion:
(tbd)
Change History
09/20/06 20:33:34: Modified by matt
10/23/06 01:35:44: Modified by roy
Not sure what to do here.
11/06/06 00:01:04: Modified by roy
According to Olafur, this issue is about the meaning of a keyset with both standard keys and alias keys.
11/06/06 00:18:01: Modified by davidb
More specifically, this issue pertains to the 4th paragraph of section 2 (Backwards compatibility). There are two problems with this paragraph. First, it says the zones SHOULD be signed only using the algorithm aliases. This should be a MUST for this specification. Second, this paragraph says that the rule only applies to secure entry point keys, which is in conflict with the rule in RFC 4024 (last paragraph of section 2.2).
Comments from NSEC3 WS2: The DNSKEY algorithms 3 and 5 MUST NOT be used for a zone that is NSEC3 signed. The two new algorithms will correspond to current algorithms 3 and 5.
Roy will send text to namedroppers with a proposal including alternatives.