On Wed, 29 Apr 2020, Paul Vixie wrote:
no. i mean that the decision to require a "clear path" for DNSSEC meant that no DNSSEC-dependent application has ever received investment. for example, DANE is interesting in the SMTP market because that's small and geeky, but will never be adopted by the Web because there are too many endpoints who cannot do stub validation and too many who will never be able to.
You seem to think that the Web(PKI) not accepting DNSSEC was a technical problem. While there were technical issues, I don't think the acceptance or not had anything to do with technology. But regardless, those technology problems are now resolved. Most people have a clean path and those who don't have ways to make it clean using DoH or DoT. We can wait a few years now. We have waited long enough. And if DNS(SEC) is replaced by something else that's cleaner, that is fine too, provided that new solution keeps the hierarchical structure of TLDs intact. And there is no way it could not, as there are piles of money involved - billions of dollars as we recently saw. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
