On May 19, 2014, at 8:26 PM, Bob Halley <bob.hal...@nominum.com> wrote:
> On 5/19/14, 16:43, "Mark Andrews" <ma...@isc.org> wrote: > >> No. Your analysis is faulty. >> >> ENAME could be used immediately once the authoritative servers for >> the zone support it. It would just be insecure until validators >> catch up. ENAME + old algorithm would be illegal and would be >> enforced by signing code and authoritative servers. > > I didn't say ENAME wouldn't work if you didn't validate. What I'm saying > is that proposals which are incompatible with existing DNSSEC should be > subject to the most rigorous scrutiny and cost-benefit analysis, and that > I don't think ENAME's benefits are worth its costs. Others may have > differing valuations. That's all I'll say on this matter. +1 Anything that requires logic changes in resolvers takes a long time to roll out. We can not afford having one more change that negatively affects DNSSEC validation. SRV use by HTTPv2 is mostly a client change, we will not need to wait for the 5+ year developmental + deployment cycle of upgraded resolver in certain OS distributions. As a matter of fact I recall that Mark wrote this document many years back: http://tools.ietf.org/html/draft-andrews-http-srv-00 If that draft had got traction then, the world would be a much better place today. Olafur _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop