On 5/2/24 10:13, Philip Homburg wrote:
is getting people to sign there zones in the first place (and adding
transport security). But we have time to just kill 140k signed for
no technical reasons?
In the end the current draft has a strong negative effect on the direct
and indirect users of about 140k zones.
Nothing breaks if we agree to only say MUST NOT for signing, while still
allowing validation.
The impact on validation software may also be very annoying. Validation
software will have to default to not support SHA1 in signing
No, if we continue to allow validation.
It is then the resolver operator's responsibility to decide whether they want
to cut validation support for those 140k zones or not. (It's been like that
anyway, see RedHat.)
The document should be about deprecating signing, not validating. Again, doing
so doesn't break anything.
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
