[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-07.txt

To: Andrew Sullivan <ajs@shinkuro.com>
Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-07.txt
From: Mark Andrews <Mark_Andrews@isc.org>
Date: Thu, 04 Dec 2008 23:49:57 +1100
Cc: namedroppers@ops.ietf.org
In-reply-to: Your message of "Thu, 04 Dec 2008 07:19:56 CDT." <20081204121956.GD2327@shinkuro.com>

In message <20081204121956.GD2327@shinkuro.com>, Andrew Sullivan writes:
> On Thu, Dec 04, 2008 at 04:06:14PM +1100, Mark Andrews wrote:
> > 	RFC5155 used different numbers because we *couldn't* use
> > 	the same numbers.  That alone is not sufficient justification
> > 	to have seperate numbers.
> 
> Note that the text merely says that it's in keeping with the previous
> approach.  All that means is that there's a precedent; that isn't a
> claim of justfication.
>  
> > 	The only reason to have different numbers is if the wg
> > 	believes that there will be DNSSEC implementations in the
> > 	future that will not support NSEC3.  Given that a number
> > 	of TLD's intend to deploy NSEC3 I can't see any new
> > 	implementation not including NSEC3 support.
> 
> Why not?  I might want to build a non-validating (authority only)
> system that can nevertheless serve NSEC and not NSEC3 records.  It
> wouldn't be useful for TLDs, but it might be useful elsewhere.

	And no one would know if you used algorithm 7 to do that
	and only served zones that contained NSEC records.  The
	only time the authoritative server needs to know how to
	return NSEC3 proofs is when the zone contains a NSEC3 and
	there is a appropriate NSEC3PARAM record there.

	The validator however needs to handle both both forms or
	it can't validate the returned responses.

> See also Jelte's point about downgrades.

> During WGLC, there appeared to be many strong arguments in favour of
> separating these pieces, and I heard no arguments in favour of keeping
> them joined.  So that's what we've decided to do.  Speaking
> personally, it seems to me that on grounds of feature isolation, it's
> preferable anyway.  But speaking as document shepherd, my impression
> of the rough consensus was that people wanted the NSEC/NSEC3
> issue to be separate from the SHA2 issue.  I haven't so far seen
> anything to suggest otherwise.
> 
> Best regards,
> Andrew
> 
> -- 
> Andrew Sullivan
> ajs@shinkuro.com
> Shinkuro, Inc.
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-07.txt
  - From: Andrew Sullivan <ajs@shinkuro.com>

References:
- Re: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-07.txt
  - From: Andrew Sullivan <ajs@shinkuro.com>

Prev by Date: Re: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-07.txt
Next by Date: [dnsext] RRs with 0 TTL
Previous by thread: Re: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-07.txt
Next by thread: Re: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-07.txt
Index(es):
- Date
- Thread