Ulrich Wisser <ulrich=40wisser...@dmarc.ietf.org> writes: > Not only am I in favor of the RFC6840 lax validation, it is in fact > necessary for secure DNSSEC operation.
I almost wrote up an ID specifically to say validation should always be lax but be much more clear about it than the current specs. I kind of like Ben's proposal, *if* it was married with a clear set of text saying without it validators should take any acceptable validation path (and not "all or nothing"). Only operators understand their situations with respect to "should I be more robust or more secure?" You can't have both, and right now I know operators that refuse to roll their algorithm because the complexity is too high (hence my other draft). So they stick with an insecure algorithm instead. Is that better? Wouldn't it be better for people that just want security but robustness to give them an option that provides that without the ultra-security required by others? -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
