On Thu, Apr 22, 2021, at 10:23, Viktor Dukhovni wrote:
> Also, I suspect that the content of your zone is managed by... you.The zone content is largely irrelevant for signing, DNSSEC signingjust covers whatever is found in the zone.
This assumes that the zone is a static, serialisable beast which doesn't have different content depending on whether you look at it funny (or from a different geoip region, and that there's no eventual consistency happening underneath)
I am suggesting that Google can easily do DNSSEC for google.com, they likelyface non-trivial adoption barriers with global DNSSEC load-balancing, andother specialised tech. I am just saying the old excuses are tired out, wecan and should move on.
I'm liking the "actually, we are the protocol police" more and more. If people aren't compelled to implement something, then it's not offering them enough value. But you know - maybe if they say "we don't want to because reasons", telling htem "your excuses are tired" won't persuade. We can only really move on if we bring the world with us.
Bron.
--
Bron Gondwana, CEO, Fastmail Pty Ltd
brong@xxxxxxxxxxxxxxxx
