> On Apr 27, 2018, at 3:23 PM, Matthew Pounsett <m...@conundrum.com> wrote: > >> If the registry operator is going to automatically upgrade previously >> insecure delegations to DNSSEC, then due diligence to make sure that this is >> not going to cause outages is advisable. Once a domain is signed, TLSA and >> CAA lookups must succeed, or the domain may no longer receive email from >> DANE-enabled sending MTAs, or be able to obtain certificates from their CA, >> ... >> >> So I rather strongly feel that appropriate quality checks should be in >> place, to protect both the registrant and the registry (dealing with fallout >> from outages is best avoided). > > Except that those are standard DNSSEC operations best practices, not even > limited to CDS use, let alone a REST protocol designed for signalling that > CDS should be scanned. Perhaps others can speak up about the applicability > here, but I feel rather strongly that general operations best practices > shouldn't be defined in a document limited to one corner case. That risks > the advice case either not being applied elsewhere, because it's not in a > general operations document and therefore not seen, or worse contradicting > what goes into a general operations document. > > The security checks in this draft are there to help ensure that the parent > can trust the update request. I believe going further than that is out of > scope.
So at this point I think we understand each other, and the issue comes down to whether it is appropriate for the registry to automatically turn on DS records for the first time for a domain which is substantively operationally deficient at the time its CDS records are encountered. I think that garbage-in/garbage-out is not only a disservice to the domain's owner, but more importantly it poisons the ecosystem for everyone else. If turning on DNSSEC validation in your resolver stops email delivery to a bunch of domains, or breaks all access to the domain's data, whom exactly is the registry helping by enabling DNSSEC for a substantially broken domain. Think of this as anti-pollution environmental regulation. -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop