Re: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-07.txt

[Jelte Jansen <jelte@NLnetLabs.nl>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Andrews wrote:
> 
> 	The only reason to have different numbers is if the wg
> 	believes that there will be DNSSEC implementations in the
> 	future that will not support NSEC3.


>       Given that a number
> 	of TLD's intend to deploy NSEC3 I can't see any new
> 	implementation not including NSEC3 support.
> 

me neither, but tell it to the chairs, they made me ;)

Apparently it has already been decided that there will be validators
that do not do nsec3, even if they cannot validate much of the internet...

But actually, there was a better reason to use algorithm number
signaling imho. I think Sam pointed me to that. That is that there are
no other nsec-type-signaling mechanisms, so until you actualy get NSEC
or NSEC3 records as a validator, you don't know what you are supposed to
get, opening you up for downgrade attacks if either NSEC or NSEC3 turns
out to contain an attackable problem.

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkk3nZMACgkQ4nZCKsdOncVzzQCfSrOOXZlXEpUUlLrkFcHkTzr/
JT0AoLG9qmCrv5/bpRFtVGN267gjjPcb
=5PjV
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>