Hi Jim, I don’t want to signal this to resolvers, there is no need to. As domains are resolved by themselves a resolvers doesn’t need to know if all other subdomains of .se are signed too, just that the one it is interested in is signed.
But if .se would have that policy, how would you move a domain between name server operators? - If approved by the chairs Shumon and I will present our work on automating this at the next dnsop meeting. - if the operators do not support the same algorithm, only lax validation can save you. (And that is how this discussion started) /Ulrich > On 1 Mar 2021, at 15:18, Jim Reid <j...@rfc1035.com> wrote: > > > >> On 1 Mar 2021, at 13:29, Ulrich Wisser <ulrich=40wisser...@dmarc.ietf.org> >> wrote: >> >> 100% signed would mean unsigned zones do not get delegated, going insecure >> is no longer an option. >> I would like the protocol to be able to handle that case. > > Ulrich, that seems to be a (registry-specific?) policy matter => probably out > of scope for the DNS protocol. > > How could a parent signal “everything below this point of the tree is > signed”? How could they guarantee that was true, given delegation means > there’s a change of control for some part of the name space? How would > resolving servers be expected to use this signalling information? If they > come across an unsigned but working delegation, should they treat that as a > validation failure or continue to resolve the query? That would seem to be a > local policy/configuration matter too. > > I’m not sure it matters to anyone if some parent zone has this sort of policy > or not. Could you explain the use case or problem statement? > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
