Hi Shumon, On 18 Dec 2024, at 11:12, Shumon Huque <shu...@gmail.com> wrote:
> Love you Joe, but I have to quibble with this stance a bit. In my view, going > insecure seems valid only because there is a prevailing perception that > nothing critically depends on DNSSEC (your observation of DANE > notwithstanding). Love you too, sweetie. I agree that prevailing perceptions can be a problem, but that cuts both ways. Verifiably insecure reaponses are just as non-bogus as verifiably secure ones. The question of what is reasonable here is not a matter of protocol, it's a matter of expectations between the zone operator and its relying parties. > That's something I hope will change in the future (both the perception and > the reality). The parties involved in the recent GOV TLD provider+algorithm > transition went to great pains to ensure that they did not go in > secure. I hope that other TLDs will follow suit. Christian did a nice presentation about that at a somewhat-recent DNS-OARC meeting. That one had the additional excitement of a multi-provider transition period that mixed NSEC and NSEC3 negative reaponses, and together Cloudflare and Verisign managed the transition very elegantly. So I am definitely not saying it can't be done and I'm not making an argument for going insecure, I'm just saying going insecure can be a legitimate option. In some cases it might be the most stable option. Again, not commenting on the specific circumstances here. Joe _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
