On Wed, Jul 19, 2017 at 09:57:49PM -0000, John Levine <jo...@taugh.com> wrote a message of 38 lines which said:
> We did this in a horrible ad-hoc way with DNSSEC, and even with > DNSSEC there's the fallback that the unsigned answers you get from a > server that doesn't understand RRSIG et al. are for many purposes > adequate. I do not understand. If you sign on the master and forget to check the slaves (for instance if they are BIND with dnssec-enable no), the results are catastrophic for validating resolvers. You HAVE TO know and check your secondaries. It is the same with BULK as it is with DNSSEC. And DNSSEC is not the only case where we introduced RRtypes where you have to check your slaves to be sure they support it. There was also DNAME. That's why I don't share the fears about BULK: you cannot easily deploy a new feature that will require a change in the resolvers, because you don't know all the resolvers, and cannot change them even if you know they are too old. But your secondaries are only a small set of carefully chosen servers, and you have your say. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
