[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NSEC-13 conclusion

To: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: NSEC-13 conclusion
From: roy@nominet.org.uk
Date: Wed, 12 Dec 2007 10:58:29 +0000
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, namedroppers@ops.ietf.org, Ólafur Guðmundsson /DNSEXT chair <ogud@ogud.com>, townsley@cisco.com
In-reply-to: <200712112312.lBBNC5Vc069080@drugs.dv.isc.org>

Mark Andrews wrote on 12/11/2007 11:12:05 PM:

> > I have to ask, now that I have time to read the=20
> > document, is there a reason opt-out is optional=20
> > wrt to NSEC3?
> 
> You can still want to assert the non existance of a delegation.
> 
> Note: the decision of whether to include opt-out or not in NSEC3
> has never been decided.  We are still in limbo state on this question.
> 
> The most recent version of this WG's "Requirements related to DNSSEC 
> Signed Proof of Non-Existence" document, dated June 2006, contains 
> the text:
> 
>     Editor comments: We believe that [opt-out] is a medium-priority goal 
or
>     desire and should be considered.  Because of the similarity of this
>     item to the older "opt-in signed zones" proposal, we recognize that
>     consideration of this item may bog down the DNSEXT WG and that a
>     decision must be made by the WG chairs.  [Section 8, "Group 5"]
> 
> If the audio records were complete I'm pretty sure I could also find the
> decision to defer deciding whether NSEC3 should be part of DNSSEC or
> not.

Mark, I think we did due diligence on that.

On Wed, 10 Jan 2007, Olaf Kolkman, the then WG co-chair issued a WGLC on 
NSEC3:

   http://ops.ietf.org/lists/namedroppers/namedroppers.2007/msg00027.html

On Mon, 5 Feb 2007, during the last call, there was one comment on 
Opt-Out, from Olaf Kolkman, acting without hats, stating the following:

   http://ops.ietf.org/lists/namedroppers/namedroppers.2007/msg00086.html

   In the past I have repeatedly said that I am not happy with the way 
   that OPT-OUT (then called OPT-IN) changes the security model away 
   from the concept that a "zone" is secure. I continue to not be happy
   but consent with the argument that such feature is needed in specific 
   operational environments.

On Fri, 23 Feb 2007, Olaf Kolkman, acting as co-chair, summarized the WGLC 
as follows on this specific point:

   http://ops.ietf.org/lists/namedroppers/namedroppers.2007/msg00132.html

   The opt-in feature used to be contentious but it is clear that
   the consensus in the working group has shifted over the years.

In the presence of his own concern, and absence of other statements on 
nonsupport for OPT-OUT, the co-chair declared consensus.

I do not know of any decision to defer deciding whether NSEC3 should be 
part of DNSSEC or not. I do not know of any decision to defer deciding 
whether opt-out should be part of NSEC3. I've found no evidence on the 
mailing list about a decision to defer either. NSEC3, including opt-out 
was adopted as a working group item.

Note that the quoted text in the requirements document is not contentious 
here. Since 'consideration of this item' [opt-out] did not bog down the 
DNSEXT WG, and that the WG chairs _have_ made a decision (see wglc summary 
above), I do not see why 'we are in still in limbo state on this 
question'.

Regards,

Roy Arends 

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: NSEC-13 conclusion
  - From: Mark Andrews <Mark_Andrews@isc.org>

Prev by Date: Re: NSEC-13 conclusion
Next by Date: RE: I-D Action:draft-ietf-dnsext-dnssec-rsasha256-02.txt
Previous by thread: Re: NSEC-13 conclusion
Next by thread: Fwd: I-D Action:draft-kaplan-enum-source-uri-00.txt
Index(es):
- Date
- Thread