On Thu, 20 Jul 2017, Woodworth, John R wrote:
Camp#2) Don't break DNS, even for a second
Well, yeah, except that there's no such thing as breaking the DNS for a second. If we look at the history of DNSSEC, we'd break the DNS for somewhere between a decade and forever. We have tried very hard for three decades to avoid breaking backward compatibility, and it's hard to believe that this is the reason to do it.
If you choose a secondary, that is unaware of BULK, you will get NXDOMAIN's when they are hit. If BULK makes it into the top-5 DNS nameserver implementations, it's only a matter of time before the next security concern will get the secondary back in sync and in the meantime, maybe you can choose a compatible one.
If only it were that simple. BULK absolutely requires online DNSSEC signing, and there is no even halfway standard to distribute signing keys to secondary servers. I think it would be a good thing to figure out how to do DNSSEC key distribution, but we are a long way away from that. I think we can assume that "BULK works if you don't sign" is not a winning argument.
Without versioning, BULK will be endlessly flaky. With versioning that keeps broken mirrors from serving it, it'd work a lot better.
Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
