> On Feb 26, 2021, at 5:58 PM, Ben Schwartz <bem...@google.com> wrote:
>
> I agree. The Strict Mode draft is, in a sense, based on the pessimistic
> assumption that we won't be able to sufficiently improve these practices, so
> we'll need to be able to tolerate second-rate signature algorithms. That
> could be because of outdated clients, postquantum concerns, or conflicting
> national crypto requirements. Also, the bar will be higher if we believe
> that DNSSEC is not only for partial defense and special uses, but a global
> security layer on par with HTTPS.
>
> It's clear that the working group is not convinced. That's fine! As long as
> everyone is aware of the challenge, we can revive this approach if it becomes
> necessary.
I am much closer to convinced than it may appear. The protocol
is logically and technically sound. I hesitate primarily because
I think we're not doing the basics well enough yet to set the bar
even higher, and users are likely to make mistakes. I'd like to
revisit this proposal as use of DNSSEC expands and we start to
expect more from operators and we see evidence that practices
have improved to a point where we might legitimately worry about
downgrades as much as about operational errors.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
