On 10/03/2022 19:04, Paul Wouters wrote:
Sounds good to me.
Something analogous to bcp195 could be a good plan, esp as signature algorithms, rsa key sizes and maybe ksk/zsk handling change over time. Not sure if it'd be better part of such a document but also be no harm to try document good/best practices in preventing hijacking (2fa etc), so one could consider a bcp on the topic of "managing data/origin authentication for DNS data" rather then just DNSSEC maybe. Either could be useful. Cheers, S.
Even better if we would clarify DNSSEC is not an optional part of DNS, but I don’t think you are volunteering for that discussion 😀 Sent using a virtual keyboard on a phoneOn Mar 10, 2022, at 13:54, Paul Hoffman <paul.hoff...@icann.org> wrote: Greetings again. My motivation here is kinda trivial, but I've heard it is a common complaint. When writing a about DNSSEC, I need to reference the RFC. But it's three RFCs (4033, 4034, and 4035), and possibly another (6840). It would be awfully nice to refer to "DNSSEC" with a single reference like "BCP 250". To get there, we need to update the RFCs and say that we want an BCP. This is mostly a paperwork exercise, but this WG isn't terribly good at getting those done. Maybe we could create a short-lived WG for moving DNSSEC to BCP that just the DNSSEC-y people need to pay attention to. If we do it, that WG would not take up any new DNSSEC-related work, just spruce up the base RFCs. In the big picture, I think it would be good for the DNS to be able to refer to DNSSEC more easily. Thoughts? --Paul Hoffman_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
OpenPGP_0x5AB2FAF17B172BEA.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
