On Tue, Jan 09, 2018 at 10:27:05 +0100, Sophie Herold wrote: > On 07/01/18 19:53, Jörn Heissler wrote: > > why SHOULD a client undo any actions regardless if an authorization > > failed or if the certificate was issued, etc.? > > What bad might happen when a file or DNS record is *not* removed? > > I don't have any experiences with DNS servers serving large zone files. > However, if ACME records aren't deleted, they may quickly become the > majority of the records. I imagine, that this could be relevant in the > long run. Assuming that ACME will be used by a considerable proportion > of domains in the future, it might be wise to take measures to curb this > bloat with a SHOULD?
Hi, neither do I. My largest zone file was no more than a few Hundred records. I wouldn't care if my DNS server hosts a total of 3000 or 5000 records. This might add a few Hundred kilobytes of memory usage, so what. Large providers with DNS servers for Millions of domains might either charge their users per record (and earn more money if users keep the records) or if they manage ACME themselves they could remove the records when no longer needed. Whenever I update my zone, the slave servers need to pick up the change. This adds load too. Or in the case of e.g. AWS route53, it takes several seconds to do any change. And for every change a log entry is generated and stored in CloudTrail. I'm not familiar with DNSSEC. When you add a new record, I assume you need to re-sign your zone. Is the same true when you remove a record? So there is a chance that removing records will free up a some storage. But surely there is network + computational overhead at the same time. We're using rfc2119 terminology here. I don't see enough justification why records SHOULD be removed. There are good reasons for and reasons against doing it. I think that "MAY" fits a lot better here. Cheers Jörn
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
