On Fri, Aug 11, 2017 at 10:39:50AM -0400, Matthew Pounsett wrote: > It sounds like you're assuming that SWILD would be supported by caching > servers that do not support DNSSEC or NSEC aggressive use. Why do you > expect implementers would adopt SWILD before adopting these much older > features?
(Without commenting about SWILD) It does not have to be due to implementation support alone. Many operators stick to unsigned zones. There are many reasons, some of which I'd mentioned in the unsigned NSEC thread. Resolvers have to deal with cache pollution and unnecessary upstream queries, but they have no control over whether the authoritative zones are signed. 2 mails up this thread, there is a comment about "New features are provided only by the latest version of the protocol." This seems to mix unrelated things together. The latest version of DNS (if there's such a thing) doesn't mandate operational use of DNSSEC. Use of unsigned zones is not obsolete and may well outlive us. Most zones today are unsigned and a carrot like NSEC agressive use is unlikely to change the level of adoption of DNSSEC significantly. Alexa Top domains and DNSSEC: 24 / 500 top domains (4.8%) 20548 / 1 million top domains (2.05%) (12 years after introduction of 403{3,4,5}) Mukund _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop