On Thu, Mar 10, 2022 at 06:54:07PM +0000, Paul Hoffman wrote:
> Greetings again. My motivation here is kinda trivial, but I've heard
> it is a common complaint. When writing a about DNSSEC, I need to
> reference the RFC. But it's three RFCs (4033, 4034, and 4035), and
> possibly another (6840). It would be awfully nice to refer to "DNSSEC"
> with a single reference like "BCP 250".
I'm on board for a DNSSEC BCP document. I've effectively been working
on this for some time. Hence e.g. the NSEC3 iteration draft and an
upcoming APNIC guest post on ZSK best-practice.
Would be nice to publish more accessible text on the correct handling of
ENTs and wildcards (as e.g. malpracticed by NameCheap).
At least TLSA non-response has mostly gone away as an issue, NSEC3
iterations have come down quite significantly. Also algorithms 5 and 7
have each lost ~93% of their peak deployment levels.
So communicating (and repeatedly nagging) best-practice does appear to
translate to operational changes, even if the time scale is ~2 years in
some cases.
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
