Roman Danyliw has entered the following ballot position for draft-ietf-dnsop-dnssec-bcp-05: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bcp/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Catherine Meadows for the SECDIR review. ** Section 1.1 Recent estimates are that fewer than 10% of the domain names used for web sites are signed, and only around a third of queries to recursive resolvers are validated. Since this is a point-in-time measurement, this document would age better with a reference to these figures. ** Section 1.1 However, this low level of implementation does not affect whether DNSSEC is a best current practice; it just indicates that the value of deploying DNSSEC is often considered lower than the cost. Nonetheless, the significant deployment of DNSSEC beneath some top- level domains (TLDs), and the near-universal deployment of DNSSEC for the TLDs in the DNS root zone, demonstrate that DNSSEC is suitable for implementation by both ordinary and highly sophisticated domain owners. Editorial style. The first sentence states that most of the Internet doesn’t see the value of DNSSEC relative to the cost. The second sentence suggests that it is “suitable for … ordinary domain owners.” I might have used the word “applicable for …” because for me, part of suitability is that it is that the cost is acceptable for many in the target population (which the first sentence suggests it is not) ** Section 2. Earlier iterations have not been deployed on a significant scale. Consider if the text can qualify the differences in scale from the one posed on Section 1.1 (i.e., <10% of the domain). ** Section 3. Cryptography improves over time, and new algorithms get adopted by various Internet protocols. Consider rephrasing this statement. Overtime, existing cryptographic algorithms typically weaken as computing power and new cryptoanalysis emerges. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
