On 18/06/2021 19.40, Peter van Dijk wrote:
aname can go; I trust the WG feels SVCB will supersede it.
Yes, please.
I propose replacing rfc5011-security-considerations with a short document
deprecating 5011 in its entirety. I am happy to write text for that, if there
is an appetite - when the WG queue is small enough!
I agree that 5011 doesn't seem really useful (anymore).
We have it in Knot Resolver but recommend not to use it, because it's
just more trouble than worth in practice. Notably, (all) resolver
software needs much more frequent updates than the rate of root KSK
rollovers, so it's easier to distribute root DS within the updates; some
Linux distros even package these separately and share them among
different resolver packages. Even if you're conservative and use BIND
ESV or similar, I believe it's a better approach than 5011. For
non-root keys there doesn't seem much point nowadays, as getting a chain
from root is better.
(By the way, an "interesting" example: router with DNSSEC validation and
factory reset / rollback, commonly shelved for a year, unreliable clock,
etc.)
--Vladimir
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop