On 19-01-2021 02:02, Viktor Dukhovni wrote:
On Mon, Jan 18, 2021 at 08:31:36PM +0000, Paul Vixie wrote:
On Mon, Jan 18, 2021 at 03:54:49PM +0000, Roy Arends wrote:
I agree with you.
So do I. But I'm concerned about that. Most of the operators of dnssec
machinery have not been born yet, and most dnssec machinery that will
ever be used has not been created yet. I don't think those future operators
and creators will read this mailing list's archives. Where can we put the
agreed wisdom of our era so that it can be easily and persistently found
both in this and future eras?
(Same for the empty salt thread, and likely many others past and future.)
I guess a dnsop BCP draft is called for, but I'm somewhat cycle-starved
to spin up a new draft. If anyone can get that started, I'm happy to
coauthor, review, ... but starting a BCP draft from scratch is more
effort than I can muster at the moment.
It doesn't need to be from scratch. There is RFC 6781 "DNSSEC
Operational Practices, Version 2" but that is horribly out of date.
* It prefers RSA/SHA-256 algorithm (ECDSA was n/a at the time).
* It prefers NSEC3 for large unstructured zones.
* It says 100 iterations is not excessive, but costly.
* It does not know about CDS/CDNSKEY records.
* It does not know about multi signer models.
In my opinion RFC 6781 should be updated or obsoleted.
- Matthijs
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
