On Tue, Mar 02, 2021 at 08:34:21PM -0500, Viktor Dukhovni wrote: > On Wed, Mar 03, 2021 at 12:40:55AM +0000, Paul Vixie wrote: > > I think you had me right the first time. I'm imagining a world with > > dnssec aware apps and stubs (and therefore, DANE validators in TLS > > clients), where some paths are closed for stupid reasons..., but the > > rest are either dnssec-aware or dnssec-nondamaging. We should not make > > the minimum viable product unbuildable unless we lack better choices. > > A laudable goal, but exposing RRSIG as a bare RRset one can query does > not look like a viable path forward. So I don't see this happening.
you described several cases in which rrsigs wouldn't be stable enough. in my own role as signer, the rrsigs are refreshed by cron on sundays, and so i think we're both looking at anecdotes here, worst or best case scenarios, and what you don't see happening isn't totally compelling. > More likely equipment that gets in the way will over time get replaced, > or users will tunnel traffic to a less broken resolver. there's a lot of ways this can go. i usually share the pessimism you're expressing. but that doesn't mean i won't care if we make it all worse. -- Paul Vixie _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
