Good idea, and I volunteer to assist if you'd like. Some stuff that may be good
to consider including:
- Negative Trust Anchors - https://datatracker.ietf.org/doc/rfc7646/
- In case of DNSSEC validation failures, don't switch resolvers -
https://datatracker.ietf.org/doc/draft-livingood-dnsop-dont-switch-resolvers/
__
Jason
On 3/10/22, 13:54, "DNSOP on behalf of Paul Hoffman" <dnsop-boun...@ietf.org
on behalf of paul.hoff...@icann.org> wrote:
Greetings again. My motivation here is kinda trivial, but I've heard it is
a common complaint. When writing a about DNSSEC, I need to reference the RFC.
But it's three RFCs (4033, 4034, and 4035), and possibly another (6840). It
would be awfully nice to refer to "DNSSEC" with a single reference like "BCP
250".
To get there, we need to update the RFCs and say that we want an BCP. This
is mostly a paperwork exercise, but this WG isn't terribly good at getting
those done. Maybe we could create a short-lived WG for moving DNSSEC to BCP
that just the DNSSEC-y people need to pay attention to. If we do it, that WG
would not take up any new DNSSEC-related work, just spruce up the base RFCs.
In the big picture, I think it would be good for the DNS to be able to
refer to DNSSEC more easily. Thoughts?
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
