On 5/2/24 10:13, Philip Homburg wrote:
is getting people to sign there zones in the first place (and adding transport security). But we have time to just kill 140k signed for no technical reasons? In the end the current draft has a strong negative effect on the direct and indirect users of about 140k zones.
Nothing breaks if we agree to only say MUST NOT for signing, while still allowing validation.
The impact on validation software may also be very annoying. Validation software will have to default to not support SHA1 in signing
No, if we continue to allow validation. It is then the resolver operator's responsibility to decide whether they want to cut validation support for those 140k zones or not. (It's been like that anyway, see RedHat.) The document should be about deprecating signing, not validating. Again, doing so doesn't break anything. Peter -- https://desec.io/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop