[nsd-users] DS algorithm as mnemonic

Peter Koch pk at denic.de
Tue Feb 28 10:19:59 UTC 2012


On Tue, Feb 28, 2012 at 11:00:23AM +0100, Matthijs Mekking wrote:

> This is correct. NSD only had up to RSASHA1 in its dns algorithm
> table. Newer algorithms were never added due to backwards
> incompatibility concerns.

strictly speaking, section 5.3 of RFC 4034 limits the mnemonic
representation to those present in that RFC's appendix and does
not extend it to future (including those defined in 5702 and 5933)
code point assignments.  From the point of view of an authoritative
server this makes sense since it doesn't have to understand (or
recognize) the algorithm used to properly serve the correct
DNSKEY and RRSIG RRs.

> However, we could allow newer mnemonics when reading in a zone (more
> user friendly), and when writing always print the unsigned integer
> value (more consistent, backwards compatible).

+1 for the latter and 'not sure' about the former.  Another potential
abuse of the robustness principle at the horizon ...

-Peter



More information about the nsd-users mailing list