On Thu, 25 Feb 2021 at 14:14, Ben Schwartz <bemasc= [email protected]> wrote:
> The most interesting informational element, in my view, would be guidance > on how to detect buggy implementations that will create this problem. (Set > up a test zone and a test resolver and ...?). I think the best practice is > probably to migrate to a better implementation before rolling the algorithm. > Sometimes the bug is an absent operator on the other end of the transfer. Or an uncooperative one, which RFC 6781 doesn't really address. I have a zone I'm planning a move for where the only way it's going to get done, without going through a bogus state, is by going through an insecure state. I'd be extremely uncomfortable labelling that kind of transfer as a best practice, but it's operational reality that it's going to happen, and it probably wouldn't hurt to have a document out there explaining how to do it the best way possible. Provided, of course, that it's heavily laden with caveats pointing to all the more secure procedures documented that should be ruled out first.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
