Re: ISSUE 2: Mandatory to implement

[Paul Vixie <paul@vix.com>]

# Another way of phrasing is:
# 
# This would be the "mandatory to implement" mechanism for everybody who would
# want to perform automatic rollover of DNSKEYs. Section 5.6 just says that
# you may choose not to perform automatic rollovers.

so it's mandatory-to-implement for the root zone and for any other zone ``that
is intended to be a "public" entry point in the chain of trust,'' but it isn't
mandatory-to-implement for requestors, who must be considered to comply with
the DNSSEC protocol even if they don't automate this particular functional.

let me register my disagreement with this position by quoting my own words:

	this ... opens the possibility of an "early adopter" class of
	implementations who, lacking this automation, rely on human hands to
	roll keys, where we know from the history of root hints that this
	won't occur.

another way of phrasing it is, if automation of this function is optional,
then i predict market failure of virtually every implementation which lacks
it, and if these implementations have critical mass, then i predict market
failure of the DNSSEC protocol itself.

however, i must also note that for the purposes of RFC 3979, the fact that
some zone operators (including the root zone) must implement this means it
is "mandatory-to-implement".  so for the purpose of answering issue 1, your
vision of one-sided mandatoryness (while dangerous) supports my proposed
text for 5.2 in the "ISSUE 1" thread.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>