On Thu, May 2, 2024 at 7:32 AM John R Levine <jo...@taugh.com> wrote:

> MUST NOT is advice on how to interoperate, not on how to write software
> tools.  It's up to the zone operator to follow the advice, not to the tool
> provider to hold them hostage.
>

??? RFC 8624 is explicitly guidance to implementers not  operators. The
"MUST NOT" means MUST NOT implement in a conforming implementation of
either signing or validation software. That's not an opinion. It's what the
text says. It does acknowledge it can be useful guidance to others, but its
audience is expressly DNSSEC implementers not users of DNSSEC. Sure, an
implementer can choose to ignore the guidance. But creating an environment
where implementers have to do that sort of seems to defeat the purpose of
RFC 8624.

1.3.  Document Audience

   The recommendations of this document mostly target DNSSEC
   implementers, as implementations need to meet both high security
   expectations as well as high interoperability between various vendors
   and with different versions.  Interoperability requires a smooth
   transition to more secure algorithms.  This perspective may differ
   from that of a user who wishes to deploy and configure DNSSEC with
   only the safest algorithm.  On the other hand, the comments and
   recommendations in this document are also expected to be useful for
   such users.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to