Moin! On 17 Mar 2025, at 17:53, Shumon Huque wrote: > I couldn't remember exactly what text we put in. Looks like section 8.3 > (Other Considerations) 2nd paragraph acknowledges the existence of parent > centric implementations, but yes, that is not the same as saying optionally > not doing it. I think this text was put in after consultation with Ralf > Weber.
Correct and this is the only section of the draft that the Akamai resolvers comply with in this draft. The draft also mentions ZONEMD and local root, which supply a better protection for root and the TLD level (as almost all TLDs are signed currently) then trying to do what this draft proposes. >From an implementation perspective I stand by my argument that the increased complexity in resolver operations caused by this draft does not outweigh the perceived benefit of it. With perceived benefit I mean is that DNSSEC is supposed to detect data forgery and for that it does not matter if I get the correct data from the wrong server, or to paraphrase Geoff Houston you can pick up your DNSSEC answer from the street and still validate it. It looks like other implementers (Knot) came to the same conclusion. So long -Ralf ——- Ralf Weber _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
