On Mon, Mar 1, 2021 at 7:46 AM Ulrich Wisser <ulrich= 40wisser...@dmarc.ietf.org> wrote:
> Hi Jim, > > I don’t want to signal this to resolvers, there is no need to. As domains > are resolved by themselves a resolvers doesn’t need to know if all other > subdomains of .se are signed too, just that the one it is interested in is > signed. > > But if .se would have that policy, how would you move a domain between > name server operators? > - If approved by the chairs Shumon and I will present our work on > automating this at the next dnsop meeting. > - if the operators do not support the same algorithm, only lax validation > can save you. (And that is how this discussion started) > > This should be highlighted to keep the conversation moving in the right direction: - Switching providers while staying secure requires inter-provider cooperation, including publishing ZSKs from both providers in the DNSKEY RRSET served by both providers. - Doing lax validation MAY be necessary (if the algorithms used for signing the zone do not overlap) - Doing lax validation is NOT SUFFICIENT, i.e. only adding lax validation is not enough to not break validation - the inter-provider stuff is necessary too Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
