This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

Content-Type: TEXT/PLAIN; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8BIT

On Mon, 27 Mar 2006, Ólafur Guđmundsson /DNSEXT co-chair wrote:

> To answer your quotes from below, following is perfectly valid from the
> protocol point.
> . signed by RSA/SHA256
> COM signed by RSA/SHA1
> signed by DSA
> signed by RSA/MD5
> signed by DSA

So if I wanted to express that there there are multiple types of signatures,
that would or would not be possible, i.e. what if I have: signed by RSA/SHA1 signed by RSA/SHA256

> But for a validator the trust chain is broken when it is faced with the
> first algorithm it does not understand/support. As some Validator's have
> removed support for RSA/MD5 that zone risks becoming viewed as insecure,
> and its children are treated insecure because of the parent.

If multiple signatures are possible what needs to be done is to take care
to separate into multiple RRs that can be requested independently. Not sure
how to do it without breaking DNS other then by prefixes.

William Leibzon
Elan Networks

to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.