On Dec 30, 2020, at 22:11, Daniel Migault <mglt.i...@gmail.com> wrote: > > > <mglt> > If I understand clearly the comment, it seems to say that TLS ( for example ) > is using RFC Required and that DNSSEC should do the same. Quickly going > through RFC 8447, I cannot find "RFC Required", so I am wondering if you have > a specific registry in mind. As far as I can see, the TLS cipher suite > registry requires Standard Action to set Recommended to "Y" and Specification > Required otherwise. As a result, leaving it to Standard Action seems better > aligned with what TLS does for "Recommended".
As previously explained in this thread, you cannot compare TLS with DNSSEC. With TLS you can offer IETF algorithms along with a nation state algo, and the client can pick what it prefers. For DNSSEC, the signed zone has already made all the decisions. A DNS client cannot decide to use or not use its local national algo. Paul > My motivation for not lowering the requirement is based on the specificities > of DNS, that is the DNS is a system handles a global shared resource For those regimes who for instance are not allowed to trust RSA or NIST/NSA based ECC curves, you prefer those zones use no DNSSEC at all versus say GOST ? Because that’s what you are offering as the only choice now. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
