> On Apr 27, 2018, at 3:23 PM, Matthew Pounsett <[email protected]> wrote:
>
>> If the registry operator is going to automatically upgrade previously
>> insecure delegations to DNSSEC, then due diligence to make sure that this is
>> not going to cause outages is advisable. Once a domain is signed, TLSA and
>> CAA lookups must succeed, or the domain may no longer receive email from
>> DANE-enabled sending MTAs, or be able to obtain certificates from their CA,
>> ...
>>
>> So I rather strongly feel that appropriate quality checks should be in
>> place, to protect both the registrant and the registry (dealing with fallout
>> from outages is best avoided).
>
> Except that those are standard DNSSEC operations best practices, not even
> limited to CDS use, let alone a REST protocol designed for signalling that
> CDS should be scanned. Perhaps others can speak up about the applicability
> here, but I feel rather strongly that general operations best practices
> shouldn't be defined in a document limited to one corner case. That risks
> the advice case either not being applied elsewhere, because it's not in a
> general operations document and therefore not seen, or worse contradicting
> what goes into a general operations document.
>
> The security checks in this draft are there to help ensure that the parent
> can trust the update request. I believe going further than that is out of
> scope.
So at this point I think we understand each other, and the issue comes down to
whether it is appropriate for the registry to automatically turn on DS records
for the first time for a domain which is substantively operationally deficient
at the time its CDS records are encountered.
I think that garbage-in/garbage-out is not only a disservice to the domain's
owner, but more importantly it poisons the ecosystem for everyone else.
If turning on DNSSEC validation in your resolver stops email delivery to a
bunch of domains, or breaks all access to the domain's data, whom exactly is
the registry helping by enabling DNSSEC for a substantially broken domain.
Think of this as anti-pollution environmental regulation.
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
