HI all, Being the author of the ballot that recently passed requiring DNSSEC validation of all DCV for web PKI CAs ( https://github.com/cabforum/servercert/pull/579 ) I do strongly support this type of language and thing it would help the Internet Draft.
I largely agree DNSSEC validation should be a MUST statement while DNSSEC signing is best left as a SHOULD. I also like the recommended precautions if the AD bit is not set. In general I am excited about the idea of recursive to authoritative Do[HQT] (I have a reference to that in another I-D I am working on https://datatracker.ietf.org/doc/draft-ietf-lamps-caa-security/ ). However, I do not think it should replace any DNSSEC mandate as the security properties are different. It could be nice to mention as a SHOULD, but I would advise against having it interact at all with the mandate to validate DNSSEC. Best, Henry On Mon, Jul 21, 2025 at 9:10 AM Jim Reid <[email protected]> wrote: > > > > On 21 Jul 2025, at 13:58, Erik Nygren <[email protected]> wrote: > > > > DNSSEC signing of zones remains a SHOULD. > > +1 > > IMO using an encrypted channel (Do[HQT]) might well be "good enough". > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
