[Dnssec-deployment] not ANY (Re: CAT is signed )

[Florian Weimer]

* Paul Vixie:

>> From: Florian Weimer <fweimer at bfk.de>
>> Date: Wed, 30 Jun 2010 09:41:02 +0000
>> 
>> Mandating TCP service might make some sense because it's a requirement
>> which is somewhat testable.  Beyond that, it gets increasingly difficult
>> because relevant IETF standards haven't been updated in a decade (or
>> more) and do not reflect current practice nor operational necessity.
>
> the standards in this area aren't wrong just because they are old.

No, they are wrong because they are wrong.  Often, we need some time
and experience to recognize their wrongness, and reach consensus on
that.  In other cases, things do not develop in the direction we
expected initially.

Anyway, this still doesn't answer the question why would you want
ICANN to revoke TLD delegations if there are implementation issues
which have been demonstrated to be non-critical. Actually, I wonder
whether such hypothetical ICANN-induced breakage were treated
differently than any other form of widespread server breakage by
resolver implementors.  Wouldn't you be among the first to put special
code into BIND that works around it, similar to the server lameness
cache, or the Sitefinder filter?

(Your proposed policy would cause ISC.ORG to go dark, too, so that's
probably plenty of incentive to add a workaround. 8-)

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99