Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)

[Mark Andrews <Mark_Andrews@isc.org>]

In message <20081209143420.GA8932@shinkuro.com>, Andrew Sullivan writes:
> On Tue, Dec 09, 2008 at 02:24:10PM +1100, Mark Andrews wrote:
> 
> >         The only reason for having two numbers is if you believe
> >         there there is a reason to support validators which can do
> >         RSA/SHA-256 and not NSEC3.  I don't see a need to support
> >         that combination.
> 
> I determined during working group last call, however, that others
> _did_ see a need to support that combination.  Moreover, I buy the
> argument that we shouldn't link these two issues together.  If there
> is a validator that can't do NSEC3 and they find they suddently want
> to do SHA-2, why do we want to put an extra barrier in their way?

	Because it sets a BAD precident.  It means that you just
	cut down the effective algorithm space by half.  Yes it
	requires validator writers to support NSEC3 but I don't see
	that as a bad thing as it is a real world requirement to
	support NSEC3 if DNSSEC is ever going to fly.  We have
	several TLD operators stating that they intend to deploy
	NSEC3.

	Is there any DNSSEC validator vendor that is not planning
	to support NSEC3?  I'm aware of none.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>