Hi Ben, On Mon, 2020-08-10 at 10:07 -0400, Ben Schwartz wrote: > I do not support adopting this draft as-is. I think this construction is > very clever, and points us in the right direction for authentication, but > it's extremely inflexible in regard to the transport protocol and key > updates. As the draft notes, "a change in TLS keys on an auth may require DS > updates for thousands or even hundreds of thousands of domains", which may > not be under the administrative control of the authoritative server operator. > This seems likely to make key rotation effectively impossible in many > potential deployments, as rotation cannot occur until _all_ customers have > updated their zones. > > This draft could be suitable for "experimental" status, but for a "standards > track" document I think we should start with a design that addresses these > problems.
Because I still believe this approach would work for many domain owners, I think experimental would make perfect sense, but at this point I'm unsure the WG even has appetite for that, and that is very understandable. (and I agree with Paul Hoffman and others that we have plenty of proposals, fully worked out or not, but not a lot of agreement on what the actual shape is of the problem we are solving.) Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
