On Sun, 19 Nov 2017, JW wrote:
Hello,
This draft was released a couple weeks ago and includes what we feel are some
very noteworthy changes.
Please take another look when you have time, as always we look forward to and
welcome any questions/ comments.
I am disappointed I was unable to join the group in Singapore but am optimistic
I'll be able to meet again in London.
Hi, I am brought here because of the notification of this in v6ops.
I am supportive of the general idea of having these kinds of bulk records
standardized. I read the draft, and if I understand correctly it currently
proposes to not have DNSSEC support without on-the-fly signing.
I am extremely opposed to introducing new features into DNS that doesn't
support DNSSEC. Going from not supporting DNSSEC to supporting DNSSEC on
your device/server/whatever should never mean you lose features. So if
anything new is proposed that doesn't support DNSSEC (at least on the
server side), then we need to have a "let's deprecate DNSSEC" discussion
at the same time. If the consensus is that we shouldn't deprecate DNSSEC,
then whatever feature is proposed that doesn't support DNSSEC needs to go
back to the drawing table.
With that in mind, I'd rather have this feature be a new RR type that
would involve not generating records on the fly at all, but instead sign
this RR type using regular DNSSEC, and then the resolver needs to be
updated in order to actually use/understand this new RR type. I know this
(probably) brings in another world of hurt as now (I guess) the resolver
needs to fake PTR entries towards internal APIs that don't support these
bulk RRs?
Anyhow, suggesting this without support for offline signed zone files is a
no-go for me (unless that of course is deprecated and we're saying DNSSEC
now is all about on-the-fly signing, then that discussion of course
changes).
--
Mikael Abrahamsson email: swm...@swm.pp.se
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
