On Oct 17, 2022, at 5:14 PM, Roman Danyliw via Datatracker <[email protected]> wrote: > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Catherine Meadows for the SECDIR review. > > ** Section 1.1 > Recent estimates are that fewer than > 10% of the domain names used for web sites are signed, and only > around a third of queries to recursive resolvers are validated. > > Since this is a point-in-time measurement, this document would age better with > a reference to these figures.
I had considered having a reference, but most of the references are things like DNS-OARC presentations, and not inherently useful to the reader of this document. I also considered a reference to Section 3.1 of <https://www.icann.org/en/system/files/files/octo-023-24feb21-en.pdf> where I had done such research, but that seemed a tad self-serving. > > ** Section 1.1 > However, this low level of implementation does not affect whether > DNSSEC is a best current practice; it just indicates that the value > of deploying DNSSEC is often considered lower than the cost. > Nonetheless, the significant deployment of DNSSEC beneath some top- > level domains (TLDs), and the near-universal deployment of DNSSEC for > the TLDs in the DNS root zone, demonstrate that DNSSEC is suitable > for implementation by both ordinary and highly sophisticated domain > owners. > > Editorial style. The first sentence states that most of the Internet doesn’t > see the value of DNSSEC relative to the cost. The second sentence suggests > that it is “suitable for … ordinary domain owners.” I might have used the > word > “applicable for …” because for me, part of suitability is that it is that the > cost is acceptable for many in the target population (which the first sentence > suggests it is not) Good catch, thanks! > > ** Section 2. > Earlier iterations have not been deployed on a significant scale. > > Consider if the text can qualify the differences in scale from the one posed > on > Section 1.1 (i.e., <10% of the domain). Such quantification would indeed be useful, but I'm unaware of any (much less any good) measurements taken at the time. > > ** Section 3. > Cryptography improves over time, and new algorithms get adopted by > various Internet protocols. > > Consider rephrasing this statement. Overtime, existing cryptographic > algorithms typically weaken as computing power and new cryptoanalysis emerges. > Sounds good. <https://github.com/paulehoffman/draft-hoffman-dnssec/commit/d7fa04> --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
