Re: NSEC3-01 - more wildcard nits

[Alex Bligh <alex@alex.org.uk>]

--On 31 March 2005 10:04 -0500 Edward Lewis <Ed.Lewis@neustar.biz> wrote:

> PS I still have my doubts about finding a successor to NSEC.  A flag day
> would be needed to erase existing NSEC from the DNS and be seamless.
> Even if the thought is that "NSEC-era" verifiers will be upgraded to
> overcome this, that's the flag day.

Why does existing NSEC data need to be "erased from the DNS"? Why can
it not continue living there? Surely if we do the rollover suggested
several months ago, then we can leave NSEC data in, people may wish
to publish zones with both in (to support old resolvers if they aren't
worried about enumeration), and those new converts who adopt NSEC3
only will appear to have insecure zones to "old" (i.e. DNSSECbis)
resolvers.

Sure, zone publishers will need to pick a day when they don't want to
support old NSEC anymore. But why an internet wide flag day?


Alex

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>