On Tue, 30 Apr 2024, Paul Hoffman wrote:
Until someone can show that a reduction in collision resistance can lead to a reduction in real-world security for DNSSEC, we can wait for "MUST NOT validate", possibly forever. There is no good reason for this group to say to a zone operator who signed their zone in good faith "we are now making your zone insecure"; it's even worse for us to say to zone owners "we're forcing you to pick a different TLD if you still want to be secure".
Their zone is already made insecure by a number of OS/DNS implementation combos. Perhaps someone with RIPE Atlas credits can run a check like the equivalent of "dig dnskey nic.kpn +dnssec" to see how many endusers already get insecure answers for this? Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop