Hi Ulrich, On Feb 25, 2021, at 06:53, Ulrich Wisser <ulrich=40wisser...@dmarc.ietf.org> wrote:
> But this is a real world problem, one that is holding DNSSEC back. > If you buy DNS operations the operator will usually tell you what algorithm > they use, you have no choice in that. This feels like one of those areas where more specificity is needed. "DNS operations" is is over-broad; what you mean, I think, is "if you outsource zone-signing". If you sign yourself and distribute your zone to external DNS operators then you can add and drop vendors without worrying about key rollovers, for example. > Now if your new operator doesn’t use the same algorithm you can’t switch > without going insecure. > I don’t think this is an acceptable situation. I agree that this is a factor that ought to be included in the process of deciding to move vendors. If your proposed new vendor can't do what you want, then presumably you don't move there. While it's always possible to make mistakes, it's not at all clear to me that particular problem is something that needs protocol-level mitigations. DNSSEC is normally part of a layered set of defences. In such an architecture relaxing one layer for a period in order to fix a problem or avoid a more complicated transition can be a perfectly acceptable answer. Going insecure for a short period in that context is not necessarily a cop-out; it could well be smart thinking. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
