On 2/25/16, 17:58, "DNSOP on behalf of Warren Kumari" <dnsop-boun...@ietf.org on behalf of war...@kumari.net> wrote:
>We have recently updated "Believing NSEC records in the DNS root" >(https://tools.ietf.org/html/draft-wkumari-dnsop-cheese-shop-01). My objection to this document is based on the draft's proposal to specify a change to the protocol based on the data being carried in one particular deployment of the protocol. (The temptation to define the special protocol behaviors for a special use case came up when we'd considered altering the DNSSEC signing definition for dotCOM. At the time, a 750K delegation-large zone was larger than a 100MHz PC could handle. We didn't, eventually an "opt-out" proposal was adopted that would work with any zone.) The DNS protocol is used in more than just the global public Internet. I.e., there are other inter-network environments in production use, run independently of the internet. The cross-over between the such environments and the internet is the use of the same software. If the DNS is built to assume that the root zone is DNSSEC signed with NSEC records and this is then "burned into software" the other inter-networks will be given the choice of having to turn on DNSSEC and NSEC for their root zone or developing other software. (Or...other inconvenient mitigations.) This has nothing to do with whether NXDOMAIN responses can or should be assembled by a DNS intermediary. That's an entirely different question.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
