----- Original Message ----- > From: "John R Levine" <jo...@taugh.com> > To: "Woodworth, John R" <john.woodwo...@centurylink.com> > Cc: "dnsop" <dnsop@ietf.org> > Sent: Saturday, 22 July, 2017 08:33:30 > Subject: Re: [DNSOP] DNS versioning, was The DNSOP WG has placed > draft-woodworth-bulk-rr in state "Candidate for WG > Adoption"
>>> ...BULK absolutely requires online DNSSEC signing, >> Unfortunately, I respectfully reject this as a statement of fact. >> There's even a provision (NPN) ... > > ... which only works if you upgrade every validating resolver. If you > get to do that, you might as well just send the signed BULK record, the > NSEC and RRSIG that show there's nothing at the name, and let the resolver > figure it out. Given how slowly people update their client DNS libraries, > NPN would be a recipe for decades of DNS flakiness, as some resolvers > accept the generated records and some don't. +1 Personally, I think NPN should be just dropped as John L. is correct in his assessment here. I still think BULK is too complicated[*], but I understand the value of interoperability between DNS server vendors. * - compare to our synthrecord plugin: https://www.knot-dns.cz/docs/2.5/html/modules.html#synthrecord-automatic-forward-reverse-records Cheers, -- Ondřej Surý -- Technical Fellow -------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Milesovska 5, 130 00 Praha 3, Czech Republic mailto:ondrej.s...@nic.cz https://nic.cz/ -------------------------------------------- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop