>Their zone is already made insecure by a number of OS/DNS implementation >combos. Perhaps someone with RIPE Atlas credits can run a check like the >equivalent of "dig dnskey nic.kpn +dnssec" to see how many endusers >already get insecure answers for this?
This reads as Redhat strong-arming the IETF into adopting a draft that has no technical merit. The number of OS/DNS comboes that you refer to are all from or related to Redhat. Redhat decided to start shipping DNSSEC validators that violate the current standard. The existance of such software should not override technical considerations. This needs to stay what it currently is, a draft, until there are clear technical reasons why the security of the internet improves by instructing validators to not support signing algorithms that include SHA1. The security of the internet does not improve with the current draft. Operators likely understand that Redhat systems are not a good basis for DNSSEC and need to be avoided. To the extent that they don't, we an can make tools that show that their current validator does not conform to IETF standards. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
