On Dec 30, 2020, at 22:11, Daniel Migault <mglt.i...@gmail.com> wrote:
> 
> 
> <mglt>
> If I understand clearly the comment, it seems to say that TLS ( for example ) 
> is using RFC Required and that DNSSEC should do the same. Quickly going 
> through RFC 8447, I cannot find "RFC Required", so I am wondering if you have 
> a specific registry in mind. As far as I can see, the TLS cipher suite 
> registry requires Standard Action to set Recommended to "Y" and Specification 
> Required otherwise. As a result, leaving it to Standard Action seems better 
> aligned with what TLS does for "Recommended".

As previously explained in this thread, you cannot compare TLS with DNSSEC. 
With TLS you can offer IETF algorithms along with a nation state algo, and the 
client can pick what it prefers.

For DNSSEC, the signed zone has already made all the decisions. A DNS client 
cannot decide to use or not use its local national algo.

Paul

> My motivation for not lowering the requirement is based on the specificities 
> of DNS, that is the DNS is a system handles a global shared resource

For those regimes who for instance are not allowed to trust RSA or NIST/NSA 
based ECC curves, you prefer those zones use no DNSSEC at all versus say GOST ?

Because that’s what you are offering as the only choice now.

Paul


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to