> On 1 Mar 2021, at 13:29, Ulrich Wisser <ulrich=40wisser...@dmarc.ietf.org> > wrote: > > 100% signed would mean unsigned zones do not get delegated, going insecure is > no longer an option. > I would like the protocol to be able to handle that case.
Ulrich, that seems to be a (registry-specific?) policy matter => probably out of scope for the DNS protocol. How could a parent signal “everything below this point of the tree is signed”? How could they guarantee that was true, given delegation means there’s a change of control for some part of the name space? How would resolving servers be expected to use this signalling information? If they come across an unsigned but working delegation, should they treat that as a validation failure or continue to resolve the query? That would seem to be a local policy/configuration matter too. I’m not sure it matters to anyone if some parent zone has this sort of policy or not. Could you explain the use case or problem statement? _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop