This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

---1747400512-1057863467-1143473789=:24018
Content-Type: TEXT/PLAIN; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8BIT


On Mon, 27 Mar 2006, Ólafur Guđmundsson /DNSEXT co-chair wrote:

> To answer your quotes from below, following is perfectly valid from the
> protocol point.
> . signed by RSA/SHA256
> COM signed by RSA/SHA1
> EXAMPLE.com signed by DSA
> child.example.com signed by RSA/MD5
> grandchild.example.com signed by DSA


So if I wanted to express that there there are multiple types of signatures,
that would or would not be possible, i.e. what if I have:
EXAMPLE.com signed by RSA/SHA1
EXAMPLE.com signed by RSA/SHA256

> But for a validator the trust chain is broken when it is faced with the
> first algorithm it does not understand/support. As some Validator's have
> removed support for RSA/MD5 that zone risks becoming viewed as insecure,
> and its children are treated insecure because of the parent.


If multiple signatures are possible what needs to be done is to take care
to separate into multiple RRs that can be requested independently. Not sure
how to do it without breaking DNS other then by prefixes.

--
William Leibzon
Elan Networks
william@elan.net
---1747400512-1057863467-1143473789=:24018--

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: