Closed ShivanKaul closed 1 year ago
@shuque can you take a look at the DNSSEC section in Security Considerations?
About this, right? "DNSSEC validation MUST be enabled by service providers that verify domain control validation records they have issued"
Yeah, I think "SHOULD" will be an easier sell. I could be wrong, but "MUST" will probably invite the DNSSEC opponents to bicker vigorously with the draft once it goes to wider IETF review. If the application provider doesn't or can't support DNSSEC validation, we can also recommend that they deploy compensating measures such as multi-vantage point queries, etc.
I agree - SHOULD is an easier sell sadly.
Use RECOMMENDED