Hi Vladimir, Thanks for your feedback! Please see below.
On 11/11/22 19:01, Vladimír Čunát wrote:
It's not a major thing in your design, but I see a risk that DNSKEYs at non-apex might have trouble validating, so at some point I'd expect your proposal to choose a different approach (e.g. allocate a new identical RR type) or at least confirm that it won't be a major problem.
I agree that this would be a significant risk if the consumers of these records were the general public, who generally use whatever resolver without paying specific attention or controlling any of the moving pieces. However, the records would only be processed by supporting DNS operators, and it is entirely in their hands to use a resolver that would allow such validation. As such, I don't see any risk that would not be exposed immediately during implementation/testing, and the fix is also trivial. IMO, this means that nothing needs to be done about it on the spec side. What do other think about the significance of that risk? Thanks, Peter -- https://desec.io/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop