On Thu, 7 Apr 2016, John Levine wrote:
We could have written
“After observing CDS records for 15 days or 2 resigning cycles which ever is
longer, accept them and upload DS”
Is that better ?
It sets expectations
I think my users (the ones who know about DNSSEC) would not be happy
to hear that their entirely valid signed zone won't be verifiable for
two weeks, just because I am not as cool as some others are.
Clearly this is all local policy of the parent zone, and as such should
not be specified in this document.
But there is the case Parent happens to know the operator of the domain and via
out of band knowledge can be
sure the domain is operated a that party. In this case the upload should not
suffer any delay.
It needs to be stronger than that, define a small set of automatable
ways (ideally just one) that the uncool child can verify its bona
fides to the parent. It's fine for domains to opt out of them for
security reasons, but in most cases where the registration is only
secured by a password, it'll be fine.
This goes into RRR territory, which is a local policy that does not
apply to all parents.
Stating it is the parent's decision is what this document does. It
should not attempt to do more. It suggests example methods without
specific details about timing.
If we could come up with "ideally one" method that would be acceptable
to everyone, we wouldn't have ended up in the posistion that we needed
to write this draft to begin with, and this would have been resolved
years ago in the "triggers vs timers" discussion.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
