> On Feb 25, 2021, at 5:13 PM, Ben Schwartz <[email protected]> wrote: > > The most interesting informational element, in my view, would be guidance on > how to detect buggy implementations that will create this problem. (Set up a > test zone and a test resolver and ...?). I think the best practice is > probably to migrate to a better implementation before rolling the algorithm.
The sentiment is certainly noble, but it is not infrequently far from the reality imposed by the concrete tools that, for better or worse, are the ones at many users' disposal. For example, ietf.org is signed manually once a year! This is done via some homebrew combination of scripts. And much as it may be nice to tell them to upgrade to BIND 9.16 and turn on a key management policy that takes care of al the little details automatically, https://dilbert.com/strip/1995-06-24 there may well be reasons why that may not be in the cars for some time. So I don't think that just sweeping the problem under the rug is realistic. I think "informational" is a reasonable choice. -- Viktor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
