[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnsext] Working group workflow (nsec3 in draft-sha256)

To: <namedroppers@ops.ietf.org>
Subject: Re: [dnsext] Working group workflow (nsec3 in draft-sha256)
From: Scott Rose <scottr@nist.gov>
Date: Wed, 10 Dec 2008 06:38:52 -0500
In-reply-to: <493F8065.8070806@NLnetLabs.nl>
User-agent: Microsoft-Entourage/12.14.0.081024

On 12/10/08 3:40 AM, "Jelte Jansen" <jelte@NLnetLabs.nl> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Roy Arends wrote:
>> Andrew Sullivan wrote on 12/09/2008 07:09:48 PM:
>> 
>>> But now, well after the WG is supposed to be done with the document,
>>> we have a new round of objections that re-open a previously closed
>>> discussion. 
>> 
>> Not so fast:
>> 
>> I asked for implied support of NSEC3 in october 2007, and the document
>> subsequently reflected this:
>> 
>> http://www.ops.ietf.org/lists/namedroppers/namedroppers.2007/msg00599.html
>> 
>> "What I do like to mandate is support for the new keytypes implies support
>> for NSEC3, provided that NSEC3 is proposed standard by that time. That
>> would avoid allocating an alias for every keytype."
>> 
>> There has been no objection since then, and the document reflected this,
>> until recently. I _have_ reviewed the document in october 2007. I call
>> that early, not late.
>> 
> 
> There was not much support either; Matt is the third (!) person I count
> (please
> correct me if i'm wrong). This is probably my fault; I could have asked for
> more
> explicit support on-list back when I made the original change to implied
> support.
> 

I don't know if I was one of the implied or not (Sept/Oct was busy and I did
not give the WG enough of my attention).  I was one of the earliest
supporters and still support this draft.  SHA-2 support is the important
thing and I didn't not have a strong feeling about implied NSEC3 support.

I agree with Matt Larson:  Non-NSEC3 aware resolvers will be in the minority
soon as large infrastructure zones sign using NSEC3.  I see no real need to
give every algorithm 2 codes for NSEC/NSEC3 signaling.


> So I asked the list to speak up about this issue, and there was a torrent of 2
> whole responses (1 for, 1 against), until the revival of the thread two days
> ago.
> 
> Now i don't like sending or seeing '+1' messages. But we do apparently need
> those.
> 
I agree, but for the record:  I support the SHA-2 draft either way, but
would prefer it if support for SHA-2 also signaled support for NSEC3.

Scott

===================================
Scott Rose
NIST
scottr@nist.gov
ph: +1 301-975-8439
http://www-x.antd.nist.gov/dnssec
http://www.dnsops.gov/
===================================




--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: [dnsext] Working group workflow (nsec3 in draft-sha256)
  - From: Jelte Jansen <jelte@NLnetLabs.nl>

Prev by Date: Re: [dnsext] Working group workflow (nsec3 in draft-sha256)
Next by Date: Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
Previous by thread: Re: [dnsext] Working group workflow (nsec3 in draft-sha256)
Next by thread: Re: [dnsext] Working group workflow
Index(es):
- Date
- Thread