Olaf M. Kolkman wrote:
>> In other words, a DNSSEC signature algorithm present at an island of
>> security is recursively mandated (except for temporary mismatches in
>> DNS consistency) to secure child zones.

> No that is a wrong interpretation. The catch is in the "by each
> algorithm appearing in the DS RRset " part. So the algorithm field in
> the DS can point to "new" algorithms and you are not tied to one single
> algorithm recursively down the tree.

Thanks for helping my education. I.e. I agree with you and I apologize
for the temporary doubt perhaps caused by my posts to the group.

This takes care of (what I thought was a radical) counter-argument to
ECC-DSA as a signature algorithm in DNSSEC. Other issues about ECC
(Elliptic Curve Cryptography) remain, but I'll leave other raise them if
they se fit.



- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1

Tel.: (514)385-5691
Fax: (514)385-5900

web site: http://www.connotech.com
e-mail: thierry.moreau@connotech.com

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.