Hi Joe,
On 21/07/2024 02:15, Joe Abley wrote:
I've lost the original new version announcement to reply to so apologies
for the thread crime, but I have a more fundamental question about this
draft.
No problem!
Even after you have tested with a dry run mechanism, you need to make
material changes to your zone to progress to actually signing in a way
that you expect people to validate, and you can only get useful test
results from validators that have implemented the test mechanism. So the
thing you tested is not actually the same thing as what you deploy, and
the test coverage might well ve limited.
This doesn't make it feel like a great test.
I understand. That is why the whole point of dry-run is to have a
turn-key action when you are done testing.
You don't touch any of the signed and deployed and tested zone.
You only update the DS on the parent.
Isn't signing a test zone with exactly the processes, protocols and
software that will be used in real life and validating it with real
deployed validating resolvers actually a better test?
Yes! That is the point.
Who is this mechanism for?
People that are afraid to sign their zones.
They can test without breaking their DNS.
After testing they can either replace the dry-run DS on the parent with
the real DS and join the rest of the DNSSEC community.
Or remove the dry-run DS altogether and run away screaming from DNSSEC;
but without ever breaking their zone.
Best regards,
-- Yorgos
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
