> On Aug 4, 2021, at 11:29 AM, Tim Wicinski <tjw.i...@gmail.com> wrote:
> 
> 
> All
> 
> This starts a Working Group Last Call for draft-ietf-dnsop-dnssec-iana-cons
> 
> Current versions of the draft is available here:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-iana-cons/ 
> <https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-iana-cons/>
> 
> The Current Intended Status of this document is: Standards Track
> 
> Please review the draft and offer relevant comments.
> If this does not seem appropriate please speak out. 
> If someone feels the document is *not* ready for publication, please speak 
> out with your reasons.
> 
> This starts a two week Working Group Last Call process, and ends on:  18 
> August 2021
> 
> thanks
> tim


Hi Tim, 

I read the draft and I oppose it on principle, it is a bad idea. 
 
IMHO the ONLY benefit of it is to encourage DS record overloading with random 
data that has no DNSSEC relevance,  leading to abuse that threatens to turn the 
DS record into the new TXT overloading record resulting in large DS sets. 

The DS record is a unique record that it lives only at the parent side of 
delegation, when DNS was defined no such records were envisioned, if more are 
needed this working should take up a new work item to 
define a sub-set of the RRtype number space as Parent side-only to have a 
proper debate on the topic. 

Further more this draft  makes it trivial for vanity algorithms to be added to 
the DS and DNSKEY registries threatening the depletion of the small number 
space. 
There is a big difference between registration and deployment, only algorithms 
that the IETF thinks have a benefit to the whole community and have a 
expectation of wide deployment should be registered. 
Those of us who have fought the battles to get new algorithms rolled out and 
supported by large fraction of the internet can attest that increasing the 
number of supported algorithms is a no-win battle as it may lead to fragmented 
validation on the internet, forcing zones to sign with multiple algorithms ==> 
increasing packet size for no good reason. 

Getting DS records into parents at TLD level is hard, CDS/CDNSKEY are supposed 
to make that easier but uptake has been slow due resistance by industry and any 
overloading of the DS record may derail it. 

Olafur



_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to