> On Apr 28, 2018, at 1:28 AM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > So at this point I think we understand each other, and the issue comes down > to whether it is appropriate for the registry to automatically turn on DS > records for the first time for a domain which is substantively operationally > deficient at the time its CDS records are encountered. > > I think that garbage-in/garbage-out is not only a disservice to the domain's > owner, but more importantly it poisons the ecosystem for everyone else. > > If turning on DNSSEC validation in your resolver stops email delivery to a > bunch of domains, or breaks all access to the domain's data, whom exactly is > the registry helping by enabling DNSSEC for a substantially broken domain. > > Think of this as anti-pollution environmental regulation.
I see a new version -05, with (so far) the Section 3.4 acceptance text unchanged. I strongly feel broken DNSSEC adoption is much worse than no DNSSEC adoption, it not only has operational impact on the target domain, but also creates strong disincentives to enabling validation in resolvers. Therefore, if at all possible, broken implementations should not have their DS records published, and all reasonable effort should be made to detect known forms of breakage before inflicting such breakage on the world at large. For example, nazwa.pl has recently signed a bunch of domains with lame wildcard NS records under the zone apex. This breaks denial of existence for all child domains, including TLSA lookups, and therefore breaks email delivery to the newly signed domains. This is easily detected, and such detection should be part of acceptance criteria for having DS records published. Yes, some domains will introduce breakage after the fact, but we can and should avoid it at inception. $ grep nazwa broken | ... | xargs -n1 unbound-host -D -t tlsa validation failure <_25._tcp.andyandmag.pl. TLSA IN>: nodata proof failed from 85.128.129.10 validation failure <_25._tcp.fruty.pl. TLSA IN>: nodata proof failed from 85.128.128.10 validation failure <_25._tcp.funit.com.pl. TLSA IN>: nodata proof failed from 195.238.185.146 validation failure <_25._tcp.informica.org. TLSA IN>: nodata proof failed from 195.238.185.146 validation failure <_25._tcp.vitacard.pl. TLSA IN>: nodata proof failed from 85.128.129.10 validation failure <_25._tcp.sjedrzejewski.pl. TLSA IN>: nodata proof failed from 85.128.129.10 validation failure <_25._tcp.centrumuslugszklarskich.com. TLSA IN>: nodata proof failed from 85.128.129.10 validation failure <_25._tcp.ts3priv.pl. TLSA IN>: nodata proof failed from 195.238.185.146 -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop