Ed, At 2016-02-29 12:51:16 +0000 Edward Lewis <[email protected]> wrote:
> On 2/25/16, 17:58, "DNSOP on behalf of Warren Kumari" > <[email protected] on behalf of [email protected]> wrote: > > >We have recently updated "Believing NSEC records in the DNS root" > >(https://tools.ietf.org/html/draft-wkumari-dnsop-cheese-shop-01). > > My objection to this document is based on the draft's proposal to specify > a change to the protocol based on the data being carried in one particular > deployment of the protocol. Interesting concern, although I don't see how it can be otherwise. We don't know what the properties of future protocols will be, so I don't know how we can specify the behavior of resolvers using such protocols would be. > If the DNS is built to assume that the root zone is DNSSEC signed with > NSEC records and this is then "burned into software" the other > inter-networks will be given the choice of having to turn on DNSSEC and > NSEC for their root zone or developing other software. (Or...other > inconvenient mitigations.) Can't a couple sentences address this concern? "If the root zone is not DNSSEC signed with NSEC records then the Cheese Shop is closed and this document does not apply. Resolvers MUST continue to work in such an environment." Cheers, -- Shane _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
