On Fri, 18 Jun 2021, Joe Abley wrote:
On Jun 18, 2021, at 13:41, Peter van Dijk <peter.van.d...@powerdns.com> wrote:
I propose replacing rfc5011-security-considerations with a short document
deprecating 5011 in its entirety.
Eh? 5011 is baked into various software. Why would replace 5011 ?
Did I miss something?
There were some conversations adjacent to the last great root zone KSK roll
excitement about how a more measurable and reliable mechanism might be useful.
My memory is that there might be value in specifying a new mechanism that could
be used as an alternative to or in conjunction with 5011, though, not that 5011
was fundamentally unsound and deserved to be deprecated.
I agree that, in the end, 5011 seems to have done a reasonable job -- it was
just hard to predict with any degree of comfort or certainty.
Sure, but if we were to deprecate 5011, what would we expect to happen
when we want to do another rollover ? We would still have software out
there doing 5011, so we can't do it dramatically different. Which
would lead me to think at best we could do a 5011bis that's mostly
compatible but somehow improved on what we missed, the reporting.
But that is quite different from "deprecating 5011 in its entirety".
Paul "no-not-a-dns-flagday" Wouters
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
