> On 29 Feb 2024, at 08:44, John R Levine <jo...@taugh.com> wrote:
>
> On Thu, 29 Feb 2024, Mark Andrews wrote:
>>> If it is forbidden in the protocol, it might still happen.
>>
>> Ed, your reasoning is off. The point of forbidding is to allow the
>> validator to safely stop as soon as possible when it is under attack.
>
> We're going in circles here. You want to stop at 2 some time in the future
> after we've changed the spec. Ed and Shumon and I want to stop at, say, 10,
> right now. I've never written a DNSSEC validator so I don't know how
> different those are in practice but I'd be surprised if it were very much.
No, I want to stop after a single failure. Stopping after multiple failures is
a stop gap until we can get the specification fixed, a period for the updated
signers to be deployed and a effort to get the known colliding key tag zones
fixed.
> Regards,
> John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
