On 2/9/24, 11:02, "pch-b538d2...@u-1.phicoh.com on behalf of Philip Homburg"
<pch-b538d2...@u-1.phicoh.com on behalf of pch-dnso...@u-1.phicoh.com> wrote:
> One of the misconceptions in DNSSEC is that the zone administrator
> is in control of the situation, dictating the state of signing,
> the cryptography in use, and so on. DNSSEC is for the benefit of
> the querier, not the responder. A zone administrator can't force
> a querier to validate the results, it can't dictate what cryptographic
> library support the receiver must have.
I don't see how this statement is relevant.
This was the text that made me react:
# If DELEG is mainly used to signal that a secure transport, such as DoT, DoH,
# or DoQ, is available then falling back to NS/DS might be preferred (by the
# zone operator) over failure.
...specifically, " then falling back to NS/DS might be ***preferred (by the
zone operator)***"...
We need to approach the design with the knowledge that the querier is in the
driver's seat, it is up to the querier to decide whether to fall back, or not,
in any way. The zone operator (the responder) can only present options to the
querier (here), not dictate (that's too strong a word) or encourage (a bit
softer) or influence (yet milder) how the querier will "act next".
It's the querier's prerogative to choose whether they fall back and how, and
what privacy enhancement they crave (judging this being a concern by the
inclusion of DoT and DoH in the context), not the responder's.
I'm not picking on fall back, or privacy - I'm picking on the process of how we
design the protocol.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
