On Jun 23, 2018, at 22:45, Paul Vixie <p...@redbarn.org> wrote: > Joe Abley wrote: >> I think a pragmatic solution needs to work in unsigned zones. >> >> ... > > can someone ask the IAB to rule on whether any new internet technology > standard should address unsigned DNS zones, or for that matter, IPv4 networks? > > "let's move on."
I agree with the sentiment, but in practical terms in 2018 I think this is just a recipe for more DNS extensions without standardisation, which will not help customers who want diversity in providers or who want to be able to switch providers easily. To the example at hand, enterprise DNS providers have already implemented XNAME-like functionality in unsigned zones and and are selling it. If they can't easily support a standardised mechanism, they're going to carry on selling what they have. These response-time tricks that need response-time signing or pre-computation of signatures across a full set of possible responses are used by a lot of high-traffic zones and there's significant money and competition all around it. I don't think that ecosystem is highly motivated by the opinions of the IAB, and so the pragmatic result of such a (perfectly reasonable and architecturally progressive) statement would be to hamstring the working group, not to make the deployed system better. If there was a visible horizon where DNSSEC was in widespread demand and a zone being unsigned was unusual, I would think differently. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
