Allowing the reverse zone method seems ok, but only if it is little extra
work, and does not hold up the rest. As has been said, users can usually
get a third-party NS record, and the Registrars usually have a manual
method to add the first DS record. This is a one-time event "per domain",
but
Unfortunately, the reverse zone is very often out of reach for those who use the IP range and trying to do classless reverse delegation (RFC 2317) for those who have less than a /24 is even harder to get.Paul Sent using a virtual keyboard on a phoneOn Jun 21, 2022, at 23:30,
On 6/22/22 12:39, Peter Thomassen wrote:
So I agree that strictly "replacing" Section 3 may be too much, but we should strongly discourage
its use. Perhaps its enough to state that the draft "obsoletes" (or "deprecates"?) RFC
8078 Section 3?
I was thinking to write something like:
OLD:
Libor,
On 6/19/22 16:41, libor.peltan wrote:
However, I'd like to discuss if it really should *replace* RFC8078, Section 3
whatsoever.
Sure, it's definitely more secure than the rather quirky Accept after
Delay/Checks/Challenge procedures, but it adds also more limitations, as
described in
Hi John,
On 6/19/22 19:30, John Levine wrote:
It appears that libor.peltan said:
Alternatively, we may say that the RFC8078 bootstrapping is deprecated,
but still, it doesn't mean that we replace it.
That seems reasonable. Does anyone actually do the current TOFU-ish bootstrap?
Yes:
On Tue, Jun 21, 2022 at 7:51 PM wrote:
>
> Hi.
>
> During a meeting today of ROW (https://regiops.net), the I-D on CDS
> bootstrapping by using a DNSSEC-signed name at name server zone (
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/)
> was discussed.
> In that