Moin! On 21 May 2014, at 16:16, Mark Andrews <ma...@isc.org> wrote: > More that it was assumed that people would read the rfc and enforce > the prohibition themselves. When that wasn't happening it was first > made into a warning '97 and fatal in '99. IMHO a software should not allow me to make incorrect entries. I think having the assumption that everybody editing a zone file would have read the RFCs is a bit far fetched.
> No, it will not break DNSSEC resolvers. If you were to need to > use ENAME and you are signing then only validators that were aware > of ENAME would mark you as secure. The existing validators would > treat you as insecure. If you don't need the ENAME functionality > you would continue to use the existing algorithms when signing. We have different definition of breaking. To me when a validator gives me an insecure on something that has DNSSEC signatures and proper secure delegation I consider that broken as it probably allows neat downgrade attacks. > Introducing NSEC3 did not break existing validators. Introducing > ENAME will not break existing validators. NSEC3 was defined before the root was signed, so there was no real deployment. Now we have granted limited, but deployment on the authoritative as well as resolver/validator side. So we have to be much more careful on the impact of what we do to people who do the right thing (validating) now. So long -Ralf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
