----- Original Message ----- > From: "John R Levine" <[email protected]> > To: "Woodworth, John R" <[email protected]> > Cc: "dnsop" <[email protected]> > Sent: Saturday, 22 July, 2017 08:33:30 > Subject: Re: [DNSOP] DNS versioning, was The DNSOP WG has placed > draft-woodworth-bulk-rr in state "Candidate for WG > Adoption"
>>> ...BULK absolutely requires online DNSSEC signing, >> Unfortunately, I respectfully reject this as a statement of fact. >> There's even a provision (NPN) ... > > ... which only works if you upgrade every validating resolver. If you > get to do that, you might as well just send the signed BULK record, the > NSEC and RRSIG that show there's nothing at the name, and let the resolver > figure it out. Given how slowly people update their client DNS libraries, > NPN would be a recipe for decades of DNS flakiness, as some resolvers > accept the generated records and some don't. +1 Personally, I think NPN should be just dropped as John L. is correct in his assessment here. I still think BULK is too complicated[*], but I understand the value of interoperability between DNS server vendors. * - compare to our synthrecord plugin: https://www.knot-dns.cz/docs/2.5/html/modules.html#synthrecord-automatic-forward-reverse-records Cheers, -- Ondřej Surý -- Technical Fellow -------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Milesovska 5, 130 00 Praha 3, Czech Republic mailto:[email protected] https://nic.cz/ -------------------------------------------- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
