moonshiner · May 30, 2023 15:06
diff --git a/gistfile1.txt b/gistfile1.txt
 https://datatracker.ietf.org/doc/draft-thomassen-dnsop-cds-consistency/
 Consistency for CDS/CDNSKEY and CSYNC is Mandatory



 114
    Mark: CDS records are no different than any others
        One NS might be down, which would stop the 
        Peter: This is telling the parent how to act when faced with inconsistent information
    Viktor: There might be hidden masters
        Don't want to get stuck
        Peter: Wording could be changed to allow servers down
    Ben: There is a missing time constant
        When do I recheck if I get an inconsistent set?
        Peter: 7344 doesn't put any time limit
        Ben: Should suggest some time to retry when there is an inconstancy

 115
    Wes: Supports this
        Likes mandating checking everywhere
    Ralf: Supports this
        Can't ask "all" servers in anycast
        What if you don't get a response
        Peter: Ask each provider
            Is willing to add in wording about non responses 
        Paul Wouters: This wasn't in CSYNC, our bug
    Viktor: Concern was hidden masters and nameservers that are gone 	and are never going to come back


 116

    Viktor: Corner case: if someone is moving to a hoster that doesn't do DNSSEC
        Peter: Could add a way to turn off DNSSEC on transfer
    Johan Stenstram: Breaks the logic that "if it is signed, it is good"
        Doesn't like "if this is really important"
        Let's not go there
        Authoritative servers are proxies for the registrant
        Out of sync is reflection on the registrant: business issues
    Wes: CSYNC was for keeping DNS up and running
        CSYNC can't fix the business problems
    Peter: Agrees that one signature should be OK
        Other parts of the spec also suggest asking multiple places
	https://datatracker.ietf.org/doc/draft-thomassen-dnsop-cds-consistency/
	Consistency for CDS/CDNSKEY and CSYNC is Mandatory



	114
	Mark: CDS records are no different than any others
	One NS might be down, which would stop the
	Peter: This is telling the parent how to act when faced with inconsistent information
	Viktor: There might be hidden masters
	Don't want to get stuck
	Peter: Wording could be changed to allow servers down
	Ben: There is a missing time constant
	When do I recheck if I get an inconsistent set?
	Peter: 7344 doesn't put any time limit
	Ben: Should suggest some time to retry when there is an inconstancy

	115
	Wes: Supports this
	Likes mandating checking everywhere
	Ralf: Supports this
	Can't ask "all" servers in anycast
	What if you don't get a response
	Peter: Ask each provider
	Is willing to add in wording about non responses
	Paul Wouters: This wasn't in CSYNC, our bug
	Viktor: Concern was hidden masters and nameservers that are gone and are never going to come back


	116

	Viktor: Corner case: if someone is moving to a hoster that doesn't do DNSSEC
	Peter: Could add a way to turn off DNSSEC on transfer
	Johan Stenstram: Breaks the logic that "if it is signed, it is good"
	Doesn't like "if this is really important"
	Let's not go there
	Authoritative servers are proxies for the registrant
	Out of sync is reflection on the registrant: business issues
	Wes: CSYNC was for keeping DNS up and running
	CSYNC can't fix the business problems
	Peter: Agrees that one signature should be OK
	Other parts of the spec also suggest asking multiple places