Having said that, just what level of significance would it take
for us to bend in this respect? What type of feature, etc.?
For DNSSEC the issue was the fundamental integrity of the DNS. I
think it's fair to say that this isn't that.
...BULK absolutely requires online DNSSEC signing,
Unfortunately, I respectfully reject this as a statement of fact.
There's even a provision (NPN) ...
... which only works if you upgrade every validating resolver. If you
get to do that, you might as well just send the signed BULK record, the
NSEC and RRSIG that show there's nothing at the name, and let the resolver
figure it out. Given how slowly people update their client DNS libraries,
NPN would be a recipe for decades of DNS flakiness, as some resolvers
accept the generated records and some don't.
As I said a few messages ago, this really needs to wait until we figure
out how to signal DNS versioning, and if we don't want to wait for every
resolver in the world to be updated, how to distribute signing keys along
with AXFR/IXFR to allow online signing to work portably.
I'm not opposed to BULK because I don't think it's useful -- there are
plenty of RRs that are useless but harmless. But I really don't want to
break the DNS, particularly for something that is at most arguably useful.
R's,
John
PS: I hope it's self evident why "it doesn't matter because hardly anyone
uses DNSSEC" is not a persuasive argument.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
