> -----Original Message-----
> From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of John R Levine
>
> On Thu, 20 Jul 2017, Tony Finch wrote:
> > John R Levine <jo...@taugh.com> wrote:
> >>
> >> BULK absolutely requires online DNSSEC signing,
> >
> > This basically means that BULK is a master-only feature, which implies
> > that there's no need for BULK to work across zone transfers, which
> > implies the need to standardize it for interop is almost nonexistent.
>
> I can't speak for the draft's authors, but in previous correspondence
> I've gotten the impression that they believe that slaves that serve
> BULK can stay in sync via AXFR and IXFR. Perhaps they can clarify
> how this is supposed to work.
>
Hi John,
Thanks again for your feedback.
First, let me state *I LOVE DNSSEC* but this was definitely not
always the case. In fact it took nearly a decade for me to go
from: "Why are they solving for a nuclear meltdown of SSl/TLS/PKI?"
to: "Why isn't this everywhere already?!"
Wherever I was on this path, DNSSEC's eventual ubiquitousness was
always assumed.
However, even now while my group is actively promoting DNSSEC
adoption, from where I sit, I see roughly 1/10 of 1% authoritative
zones with DNSSEC enabled and believe me, most of those 0.1% were
by mandate and not choice.
I write this not as discouragement, reason to dismiss or to
point out failure, as this is *my* community and *my* responsibility
to see it succeed and thrive. Rather, this is to point out
opportunity where it can be seen.
Dean (co-author) and I believe the success of DNSSEC is
vital to the future of the Internet and hope to play active
roles in its future. However, as stated its low adoption rate
offers an opportunity to make changes before critical mass makes
it much more complicated.
I see no reason to delay technology like NSEC5 and BULK out of
fear it will slow the adoption of DNSSEC but rather see this as
an opportunity to move forward in parallel and meet this new
landscape we are all building.
As this progress is made, I would like to propose a phased-in
approach for BULK which can be added to the draft a la IPv6.
Phase-1) BULK only assumed to work on *own* authoritative
nameservers with insecure zones
Phase-2) BULK only assumed to work with *some* external
backup nameservers with insecure zones
Phase-3) BULK only assumed to work with *most* external
backup nameservers with insecure zones
Phase-4) BULK only assumed to work on with *some*
validating nameservers
Phase-5) BULK works on all authoritative nameservers
and validating nameservers
Thanks,
John
>
> Regards,
> John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail.
> https://jl.ly
-- THESE ARE THE DROIDS TO WHOM I REFER:
This communication is the property of CenturyLink and may contain confidential
or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication in
error, please immediately notify the sender by reply e-mail and destroy all
copies of the communication and any attachments.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
