I am not in favour of yet another change to DNSSEC bits without a much larger demonstration of value than what this proposal has. It's not that I think this one has no value, I just think that the bulk of its value is achievable via other mechanisms.
While it is true that there could be more user-friendly pre-delegation testing, pre-delegation testing is effective. Making that more accessible could be achieved on a much shorter timeline than rolling out these protocol changes. It's achievable right now. That said, I do see how this allows for identifying how some individual validating resolvers might have problems when others (including the pre-delegation testing tool) would not. Yet I haven't seen that scenario be much a real world problem that needs solving. Even that could conceivably use approaches that do not need protocol changes, or the expectation that any given domain has enough broad usage to adequately exercise the testing in the dry-run phase. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
