On Tue, Mar 07, 2017 at 03:46:00AM +0000, Salz, Rich wrote:
> > Specifically, it 10.3 use of DNSSEC is a RECOMMENDATION, not a
> > requirement:
> >
> > https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-10.3
> >
> > I would have expected a requirement here.
>
> The WG consensus has been for recommendation.
I've had complete disinterest in CAA which initially was accepted
by CA/B forum as a "recommendation", which meant that the constraint
was meaningless. Rumour has it that CAA will soon be a requirement,
so I've now published CAA records. The CAA check is/was easy to
make and crippling it by not making it a requirement was IMNSHO a
mistake.
Similarly, using a DNSSEC-capable resolver is by no means rocket
science, much of the world is doing just that via Google's,
Verisign's, ... open resolvers. Leaving the CAs wiggle-room to
avoid what should be standard practice by now makes no sense.
I urge the WG to reconsider.
--
Viktor.
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
