Root Zone DNSSEC Deployment Technical Status Update
Thierry Moreau
thierry.moreau at connotech.com
Sat Jul 17 14:23:41 EDT 2010
Paul Hoffman wrote:
> At 9:52 AM -0400 7/17/10, Thierry Moreau wrote:
>> Incidentally, you say you [the design team] had good *documented* reasons for implementing DURZ *as*you*did*. Did you document why any of unknown/proprietary/foreign signature algorithm code(s) were not possible (this was an alternative)? This was my outstanding question.
>
> Thierry, can you say how using one of those alternatives would look different than the DURZ that they used? Should they all be marked as "unverfied" in a compliant DNSSEC resolver?
Yes. E.g. if a zone is signed only by algorithm GOOSE_128, and your
validating resolver does not know this algorithm, the DNS zone data
remains "insecure" (this is what you mean by "unverified" I guess).
That's in the DNSSEC protocol.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list