On Mon, 1 Mar 2021, Ben Schwartz wrote:
Given the existence of MTI algorithms, do we need to be so concerned about operators who support non-overlapping subsets? It seems like the guidance is clear: follow the MTI!
MTI is not mandatory to deploy. If your new DNS operator is fully ECDSA, and your old one is RSA only, and both are MTI, there is still a problem to solve. I still think this is mostly a tooling problem. With the right tools, the new registrar can give a DNSKEY to the old registrar, who is mandated by contract to add it to their zone. The old registrar that is uncooperative, an always break things. eg simply by decomissioning the domain in question completely from their namesevers. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
