On 2013-04-18, at 18:15, Wes Hardaker <[email protected]> wrote: > CDS is at least a decent middle ground that offers a middle point in the > balance equation. It provides a decent point where security and > operational practice might be at the top of the tradeoff bubble. And, > that's why we have operational and security sections in RFCs in the > first place: to document concerns and let the real world make their > decisions based on that discussion.
I wonder actually why we're discussing CDS at all, and are not just sitting back and watch people deploy signed apex DS RRSets. (I understand why we're discussing the general approach. I just don't know why the approach is tied to a new RRType). There's no protocol meaning at present for an apex DS RRSet, which means it ought to be harmless to add one. A parent (or the parent's agent) could decide to act upon the presence of a signed apex DS RRSet just as easily as it could with CDS. It might as well pick up the signed NS set while it's there. By this thinking, a signed apex DS RRSet with the meaning discussed for CDS could be deployed today, with no need for code point assignment. What am I missing? Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
