> On Apr 27, 2018, at 3:23 PM, Matthew Pounsett <m...@conundrum.com> wrote:
>> If the registry operator is going to automatically upgrade previously 
>> insecure delegations to DNSSEC, then due diligence to make sure that this is 
>> not going to cause outages is advisable.  Once a domain is signed, TLSA and 
>> CAA lookups must succeed, or the domain may no longer receive email from 
>> DANE-enabled sending MTAs, or be able to obtain certificates from their CA, 
>> ...
>> So I rather strongly feel that appropriate quality checks should be in 
>> place, to protect both the registrant and the registry (dealing with fallout 
>> from outages is best avoided).
> Except that those are standard DNSSEC operations best practices, not even 
> limited to CDS use, let alone a REST protocol designed for signalling that 
> CDS should be scanned.  Perhaps others can speak up about the applicability 
> here, but I feel rather strongly that general operations best practices 
> shouldn't be defined in a document limited to one corner case.  That risks 
> the advice case either not being applied elsewhere, because it's not in a 
> general operations document and therefore not seen, or worse contradicting 
> what goes into a general operations document.
> The security checks in this draft are there to help ensure that the parent 
> can trust the update request.  I believe going further than that is out of 
> scope.

So at this point I think we understand each other, and the issue comes down to 
whether it is appropriate for the registry to automatically turn on DS records 
for the first time for a domain which is substantively operationally deficient 
at the time its CDS records are encountered.

I think that garbage-in/garbage-out is not only a disservice to the domain's 
owner, but more importantly it poisons the ecosystem for everyone else.

If turning on DNSSEC validation in your resolver stops email delivery to a 
bunch of domains, or breaks all access to the domain's data, whom exactly is 
the registry helping by enabling DNSSEC for a substantially broken domain.

Think of this as anti-pollution environmental regulation.


DNSOP mailing list

Reply via email to