Paul Wouters has entered the following ballot position for draft-ietf-dnsop-dnssec-bcp-05: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bcp/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Since draft-ietf-dnsop-rfc5933-bis is in IETF Last Call now, I think it is worth waiting on and updating this text: The GOST signing algorithm [RFC5933] was also adopted, but has seen very limited use, likely because it is a national algorithm specific to a very small number of countries. To add a reference that RFCXXX updates the GOST algorithms for DNSSEC (but that it is uncertain at this point whether it will be widely adopted) I could be convinced for this document to not wait, but then I do think this paragraph should state that it is NOT RECOMMENDED to implement RFC5933 since the underlying GOST algorithms have been deprecated by its issuer. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- One purpose is to introduce all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC. This document does not update any of those RFCs. Another purpose is to move DNSSEC to Best Current Practice status. I think another purpose not mentioned, which for me was a main motivator for this document, is to provide a single RFC reference for other documents that want to point to "DNSSEC" using a single reference instead of referring to the 3 core components (in an incomplete way) More than 15 years after the DNSSEC specification was published, it is still not widely deployed. Recent estimates are that fewer than 10% of the domain names used for web sites are signed, and only around a third of queries to recursive resolvers are validated. What is the value of this paragraph? You wouldn't want to have a single IPv6 reference RFC say this either :) This document will be "the reference RFC" for a long time. It should not have dated/outdated statistics in it. However, this low level of implementation does not affect whether DNSSEC is a best current practice I don't think the level of implementation is low. It is actually quite high. Practically all DNS software implements it. I think you meant deployment ? NITS: which algorithms recursive resolver operators should or should not validate. change to: which algorithms recursive resolver operations should or should not use for validation (the algorithms themselves are not validated) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
