It appears that Paul Wouters <[email protected]> said: >I've read the draft, and it is an interesting idea. Some thoughts I had: > >- Is it really needed to do hashing? Do we really expect domain names to > hit the 63 or 255 limit ?
Probably not. There was also some thought that this makes it harder for tourists to guess the delegated zone names, not sure if anyone would care. >- I would like to see some text on removing the records too once the > child gained its DS record. That really needs to be about scaling issues. If your NS serves three zones and you leave in the _boot records, who cares. But there are NS that serve three million zones and I think we would all like to avoid long useless NSEC walks. >- Should it be explicitly noted that in-bailiwick domains are not > supported? Yes, I thought that was in there already. I did some counts in TLD files and found that in practice very few 2LDs use in-bailiwick NS. We should document it but it's not a big deal. >- It puts a constraint of the nameserver being in a zone that is DNSSEC > enabled. This is currently not required (though very often the case > anyway) The point of this is to do a DNSSEC bootstrap that is fully DNSSEC validated. If the _boot record doesn't have to be signed, you might as well just use the CDS from the child server. R's, John _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
