[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WGLC for DNSSECbis docs

To: namedroppers@ops.ietf.org
Subject: WGLC for DNSSECbis docs
From: geoff@nominet.org.uk (Geoffrey Sisson)
Date: Tue, 1 Jun 2004 14:27:58 +0100 (BST)

I speak for myself and on behalf and Nominet UK.

I believe the use of NSEC RRs is entirely suitable for many DNSSEC
applications.  In particular, a compelling case exists for their use in
zones under {in-addr,ipv6,e164}.arpa where meaningful enumeration is
already trivial.  I don't believe that an authenticated denial of
existence ("negative answer") scheme that is designed to be
enumeration-resistant, such as NO or NSEC2, should replace NSEC, but
should be available strictly as an alternative, for use in zones where
the risk or operational impact of enumeration presents special
problems.

I understand that it would be impractical at this time to insist upon
the inclusion of an alternative negative answer scheme in DNSSECbis.
However I believe that it's essential to defer the approval of the
current drafts long enough to consider what might be done to make them
"friendly" to the future incorporation of an alternative negative
answer scheme, in particular, possibly adding a version (or at least
MBZ) field to the NSEC RR RDATA field.

While the discussion so far appears to be undecided as to whether
DNSSECbis can be non-invasively extended to accommodate multiple
methods for negative answers, I believe it is preferable to have rough
consensus on this issue *before* the current docset goes to the IESG.
This shouldn't require a one-year delay, as some of the more
pessimistic projections have put it.

I sincerely hope the dnsext WG chairs, the Internet Area ADs, and the
IESG will recognise that a DNSSEC specification that meets its original
design goals but fails to satisfy the operational requirements of a
number of significant DNS operators, such as Nominet UK (.uk ccTLD
registry) and DeNIC (.de ccTLD registry), will be a serious impediment
to the deployment of the protocol.  Moreover, I suspect that NSEC RR
elaboration will become an operational nuisance even for registries
with relatively weak privacy requirements, such as the ICANN gNSO
member registries, which may potentially further erode support for the
protocol.

In short, I request the WGLC be extended at least long enough to
establish rough consensus on whether an alternate negative reply scheme
can be incorporated into DNSSECbis, or if DNSSECter will be required
instead.

I've followed the work of this group for a number of years; it would be
an understatement to say that I respect and admire the authors and
supporting cast for the DNSSECbis docset.  So it's painful to find
myself having to take sides against some of you.  But, under the
circumstances, I believe I have little choice.

Regards

Geoffrey Sisson
Nominet UK

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: WGLC for DNSSECbis docs
  - From: Paul Vixie <paul@vix.com>

Prev by Date: question about "what is a legal name?"
Next by Date: RE: NSEC version field (Re: NSEC2- and an Authenticated Denial M echanism Flag)
Previous by thread: question about "what is a legal name?"
Next by thread: Re: WGLC for DNSSECbis docs
Index(es):
- Date
- Thread