On Jan 31, 2024, at 09:56, Ralf Weber <d...@fl1ger.de> wrote: > > Moin! > > While this is true, there are a lot of players from different part > of the ecosystem that want to work on DELEG (see contributors)
I am not saying don’t do it. I am saying we need to understand the cost and benefits. For example, do DS overload and a new RRtype now so in 10 years we could obsolete DS overload is one possible strategy. >>> Even if you use the same name server in different domains that does not mean > that it will be only resolved once and reused. In fact this popular beahviour > keeps getting exploited for cache poisoning for decades now, hence some > resolvers have different record and delegation caches and only fill the > delegation cache entry while iterating for this domain and even then sometimes > ignore the result to make it unpredictable for an attacker when a delegation > update will occur. One would hope these implementations would use one cache for the ones resolved with DNSSEC. I personally have no interest in supporting or taking into account non-DNSSEC zones. Especially with a move towards transport security via preconfiguration or ADD, and putting trust in a few big resolvers, it becomes more important to have data origin authenticity. Also the enormous centralization of dns, while IMHO bad, should at the very least make DNSSEC more ambiguous. And we are getting there. My colleague didn’t know his personal domain was DNSSEC signed. His registrar / DNS hoster just did it for him. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
