On May 19, 2014, at 8:26 PM, Bob Halley <bob.hal...@nominum.com> wrote:

> On 5/19/14, 16:43, "Mark Andrews" <ma...@isc.org> wrote:
> 
>> No.  Your analysis is faulty.
>> 
>> ENAME could be used immediately once the authoritative servers for
>> the zone support it.  It would just be insecure until validators
>> catch up.  ENAME + old algorithm would be illegal and would be
>> enforced by signing code and authoritative servers.
> 
> I didn't say ENAME wouldn't work if you didn't validate.  What I'm saying
> is that proposals which are incompatible with existing DNSSEC should be
> subject to the most rigorous scrutiny and cost-benefit analysis, and that
> I don't think ENAME's benefits are worth its costs.  Others may have
> differing valuations.  That's all I'll say on this matter.

+1
Anything that requires logic changes in resolvers takes a long time to roll
out. We can not afford having one more change that negatively affects DNSSEC 
validation. 
SRV use by HTTPv2 is mostly a client change, we will not need to wait for the 
5+ year developmental 
+ deployment cycle of upgraded resolver in certain OS distributions. 

As a matter of fact I recall that Mark wrote this document many years back: 
 http://tools.ietf.org/html/draft-andrews-http-srv-00
If that draft had got traction then,  the world would be a much better place 
today. 

        Olafur
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to