> On Aug 4, 2021, at 11:29 AM, Tim Wicinski <tjw.i...@gmail.com> wrote: > > > All > > This starts a Working Group Last Call for draft-ietf-dnsop-dnssec-iana-cons > > Current versions of the draft is available here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-iana-cons/ > <https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-iana-cons/> > > The Current Intended Status of this document is: Standards Track > > Please review the draft and offer relevant comments. > If this does not seem appropriate please speak out. > If someone feels the document is *not* ready for publication, please speak > out with your reasons. > > This starts a two week Working Group Last Call process, and ends on: 18 > August 2021 > > thanks > tim
Hi Tim, I read the draft and I oppose it on principle, it is a bad idea. IMHO the ONLY benefit of it is to encourage DS record overloading with random data that has no DNSSEC relevance, leading to abuse that threatens to turn the DS record into the new TXT overloading record resulting in large DS sets. The DS record is a unique record that it lives only at the parent side of delegation, when DNS was defined no such records were envisioned, if more are needed this working should take up a new work item to define a sub-set of the RRtype number space as Parent side-only to have a proper debate on the topic. Further more this draft makes it trivial for vanity algorithms to be added to the DS and DNSKEY registries threatening the depletion of the small number space. There is a big difference between registration and deployment, only algorithms that the IETF thinks have a benefit to the whole community and have a expectation of wide deployment should be registered. Those of us who have fought the battles to get new algorithms rolled out and supported by large fraction of the internet can attest that increasing the number of supported algorithms is a no-win battle as it may lead to fragmented validation on the internet, forcing zones to sign with multiple algorithms ==> increasing packet size for no good reason. Getting DS records into parents at TLD level is hard, CDS/CDNSKEY are supposed to make that easier but uptake has been slow due resistance by industry and any overloading of the DS record may derail it. Olafur
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop