On Wednesday, 29 April 2020 01:17:04 UTC Shumon Huque wrote: > ... > > Paul - I guess I'm missing some background here. In what sense did > getting DS working throw validating stubs overboard? Do you mean it > took the focus away from them?
no. i mean that the decision to require a "clear path" for DNSSEC meant that no DNSSEC-dependent application has ever received investment. for example, DANE is interesting in the SMTP market because that's small and geeky, but will never be adopted by the Web because there are too many endpoints who cannot do stub validation and too many who will never be able to. building a DNSSEC-dependent product or service would be commercial suicide. whatever we had to do to prevent this, no matter what the cost, up to and including putting keys and signatures into TXT records, would have been more in keeping with our own long term rational self interest and the goal of DNSSEC ubiquity. if as i expect history passes DNSSEC by other than for DANE/ SMTP and SSHFP and protection of RDNS caches, it will be due to the "clear path" design decision. imagine the WWW launching as it did in the early 1990's but in a way that could not work on any desktop whose DNS server was from an earlier era. i hope we can agree that it would have failed, and that its failure would have inspired something more like the WWW we actually know, which works, and worked, everywhere. -- Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
