On Thu, May 2, 2024 at 7:32 AM John R Levine <jo...@taugh.com> wrote:
> MUST NOT is advice on how to interoperate, not on how to write software > tools. It's up to the zone operator to follow the advice, not to the tool > provider to hold them hostage. > ??? RFC 8624 is explicitly guidance to implementers not operators. The "MUST NOT" means MUST NOT implement in a conforming implementation of either signing or validation software. That's not an opinion. It's what the text says. It does acknowledge it can be useful guidance to others, but its audience is expressly DNSSEC implementers not users of DNSSEC. Sure, an implementer can choose to ignore the guidance. But creating an environment where implementers have to do that sort of seems to defeat the purpose of RFC 8624. 1.3. Document Audience The recommendations of this document mostly target DNSSEC implementers, as implementations need to meet both high security expectations as well as high interoperability between various vendors and with different versions. Interoperability requires a smooth transition to more secure algorithms. This perspective may differ from that of a user who wishes to deploy and configure DNSSEC with only the safest algorithm. On the other hand, the comments and recommendations in this document are also expected to be useful for such users.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop