Paul Wouters wrote:
On Mon, 26 Mar 2018, Paul Vixie wrote:
what i'd like is something more. KEY, SIG and NXT had multiple
interoperable implementations, but were not actually functional in any
end-to-end way, and were thus replaced by RRSIG, DNSKEY, DS, and NSEC.
later we moved the target and added NSEC3 and then NSEC3PARAM.
The way I remember this is that while while the KEY/SIG/NXT didn't
provide the chain of trust, it was otherwise functional and DS could
have been added here.
the question i'm begging here is why was something RFC'd that could not
possibly have worked other than on a whiteboard or test lab, not exactly
which parts could have been kept. we ought to have required a scale
model of the resulting system -- which would have required a much larger
test lab -- before we let that draft or any draft move forward.
this would have caught the IP fragmentation design flaw in EDNS, also.
The desire to only allow DNS to use the KEY record (and exclude IPsec
keys) was the main drive to rename/renumber these to DNSKEY/RRSIG/NSEC.
according to the records, TCR was nec'y in order to facilitate DS. see:
https://tools.ietf.org/id/draft-weiler-dnsext-dnssec-2535-compat-00.txt
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
