Clear path requirement

[Sam Weiler <weiler@tislabs.com>]

Over the past several months we've seen several problems that stem
from legacy resolvers thinking that children, not parents, are
authoritative for DS.  In particular, having non-DS-aware
resolvers/caches/proxies in the path from querier to authoritative
server can block DS records entirely, even if those boxes otherwise
handle unknown RR types.  Further details are being discussed on
dnssec@cafax.se.

So here are the questions: is it reasonable to mandate a "clear path"
between resolver and authoritative server, meaning a path with only
DS-aware (not just 2535-aware) resolvers/caches/proxies?  Is it
acceptable to have DNSSEC RRs dropped until everything along the path
is upgraded, or is that a deployment showstopper?  Or do so few of
these boxes pass unknown RR types that this is nothing new -- we're
already stuck with upgrading everything just to get KEY/SIG/NXT?

I think a clear path requirement is too onerous and will slow
deployment.  In particular, while a zone that wants to be signed can
probably remove any legacy caches that sit in front of its
authoritative servers, users wishing to validate results may not be
able to remove or upgrade the (often embedded) hardware at their ISP
(or hotel).  Assuming that there are enough of these boxes that handle
unknown RR types but don't understand DS, I think we should try to
make the protocol work through them.  The exact technical solution can
be debated -- I'd like to see if we can get rough consensus on the
need to avoid a clear path requirement.

-- Sam


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>