On 11/5/21 1:07 AM, Paul Wouters wrote:
In general, the problem is that we need to make it easier for the DNS hoster to enable DNSSEC when their customers are non-technical. I think this draft does properly extend RFC 8078 and even think this document could deprecate the "Accept after wait" method.
I took a shot at that in -03.
However, I do think it should still impose a minimum length of publication before accepting, so that mistakes similar to the recent slack.com outage can be prevented. So change "accept after wait" to "verify, then accept after wait".
Sure. The draft currently says in Section 3.2: | If the above steps succeed without error, the CDS/CDNSKEY records are | successfully validated, and the Parental Agent can proceed with the | publication of the DS record set under the precautions described in | [RFC8078], Section 5. ... and there, it says: | A parent SHOULD [...] ensure | that the zone validates correctly if the parent publishes the DS | record. A parent zone might also consider sending an email to its | contact addresses to give the child zone a warning that security will | be enabled after a certain amount of wait time -- thus allowing a | child administrator to cancel the request. I think that from a technical perspective, that covers the policy you're proposing. Or did you really mean to *impose* a minimum delay, as in: it is forbidden to deploy more quickly? Another approach would be to re-state explicitly what's in RFC 8078 Section 5 (but I don't know if text duplication between RFCs is welcome?). Best, Peter _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
