On Fri, Aug 11, 2017 at 10:39:50AM -0400, Matthew Pounsett wrote:
> It sounds like you're assuming that SWILD would be supported by caching
> servers that do not support DNSSEC or NSEC aggressive use. Why do you
> expect implementers would adopt SWILD before adopting these much older
> features?
(Without commenting about SWILD)
It does not have to be due to implementation support alone. Many
operators stick to unsigned zones. There are many reasons, some of which
I'd mentioned in the unsigned NSEC thread. Resolvers have to deal with
cache pollution and unnecessary upstream queries, but they have no
control over whether the authoritative zones are signed.
2 mails up this thread, there is a comment about "New features are
provided only by the latest version of the protocol." This seems to mix
unrelated things together. The latest version of DNS (if there's such a
thing) doesn't mandate operational use of DNSSEC. Use of unsigned zones
is not obsolete and may well outlive us. Most zones today are unsigned
and a carrot like NSEC agressive use is unlikely to change the level of
adoption of DNSSEC significantly.
Alexa Top domains and DNSSEC:
24 / 500 top domains (4.8%)
20548 / 1 million top domains (2.05%)
(12 years after introduction of 403{3,4,5})
Mukund
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
