On Thu, Mar 10, 2022 at 2:59 PM Grant Taylor <gtaylor=40tnetconsulting....@dmarc.ietf.org> wrote: > Aside: Maybe it's just me, but I feel like there is more perceived > value in clarifying existing documentation, in the hopes that others > will be more likely to adopt current best practices, than there is in > updating things. Dare I say it, but I feel some urgency to do this.
I think a single BCP doc is a good idea, but here I'd actually go much further and argue for a significant section in the BCP that acknowledges that it is also a best current practice not to enable DNSSEC. That is objectively the most common practice, and it is very often intentional. I think there's a way to frame it and lay out the intrinsic trade-offs between internet stability risks and the security benefits. That framing actually underscores the importance and urgency of all the best practices that can mitigate the stability risks and enhance the security. That might more effectively persuade DNSSEC skeptics. Absent a big change in adoption, a BCP could otherwise seem quite disconnected from reality (TLD-scale outages, stale cryptography) and tone-deaf to the skepticism that's out there. "We hear you" is powerful. -- Colm _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
