Hi, The chairs have discussed the DELEGATION_ONLY draft extensively. It’s reasonable to ask how we reached the conclusions we did, so here’s what we were thinking.
> On Aug 9, 2021, at 4:34 PM, Paul Wouters <p...@nohats.ca > <mailto:p...@nohats.ca>> wrote: > > On Thu, 5 Aug 2021, Tim Wicinski wrote: > >> Subject: [DNSOP] Dropping the draft "The DELEGATION_ONLY DNSKEY flag" > >> This came up in the poll, but also the discussion on priorities. There >> seems to be >> strong feelings on dropping this draft. We adopted with the idea that if >> we could >> not find WG consensus, we were not going to advance it, and that seems to be >> the case. > > We had several people in favour of the experiment, and Joe Abley against > it. May I know how you determined the lack of consensus versus the in > "in the rough" ? Especially since in this case, we are talking about > something that is completely optional to implement and deploy, so that > people who don't like it find zero negative effects from this. Multiple people who are not Joe Abley have spoken up, in this thread and previously, to question the usefulness of the draft. As a relatively minor point, calling the flag allocation an “experiment” is a bit confusing without a hypothesis or a way to assess the outcome. In any case, a standards track RFC is required to modify the DNSKEY FLAGS registry (https://www.iana.org/assignments/dnskey-flags/dnskey-flags.xhtml#dnskey-flags-1 <https://www.iana.org/assignments/dnskey-flags/dnskey-flags.xhtml#dnskey-flags-1>)— not Informational or Experimental. The DNSKEY FLAGS field is small and there’s no provision for calling back the code point delegation from IANA if the “experiment” fails. The larger point is that it’s not clear what demand there is for this feature. The draft discusses TLDs almost exclusively, which is a limited use case. In previous discussion on the draft, more than one person asserted that some TLDs, including very large ones, may sometimes rely on the behavior this flag is designed to obstruct, so are extremely unlikely to ever deploy it. Others expressed skepticism regarding the costs and benefits the flag provides over other, higher-probability attacks. It’s always possible we overlooked something, but there’s no implementation status discussed in the current draft, and we also didn’t see anyone speaking up for a TLD that would deploy the DELEGATION_ONLY flag if they had it. It seems to us that consensus to support the draft would include substantial evidence that the feature would be implemented and used. We’d be willing to re-open WG consideration of this draft if implementers or TLD operators speak up in support. Suzanne/Tim/Benno
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
