[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)

To: Peter Koch <pk@DENIC.DE>
Subject: Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
From: Jelte Jansen <jelte@NLnetLabs.nl>
Date: Wed, 10 Dec 2008 16:43:50 +0100
Cc: IETF DNSEXT WG <namedroppers@ops.ietf.org>
In-reply-to: <20081210150817.GC30676@unknown.office.denic.de>
References: <Pine.LNX.4.64.0809301237230.27246@mint> <200812090324.mB93OARV045445@drugs.dv.isc.org> <20081209143420.GA8932@shinkuro.com> <20081210030636.GA565@sirocco.local> <20081210150817.GC30676@unknown.office.denic.de>
User-agent: Thunderbird 2.0.0.18 (X11/20081125)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Koch wrote:
> 
>> gone back through the mailing list to examine the record, I strongly
>> oppose its conclusion.  The language regarding NSEC3 support from the
>> -05 version should be restored and we should not continue the
>> unnecessary practice of algorithm aliases.
> 
> I agree that we should refrain from the continued algorithm aliasing, but
> would like to propose a slightly different solution.  The draft should go back to
> two instead of four algorith numbers.  The text regarding NSEC3 should
> be clarified around 'support' and 'recognition'. RFC 5155 pretty well
> documents the need for aliases, but it didn't make the step forward
> explaining why this won't set precedent for future extensions.
> Therefore, we should document, maybe in DNSSECbis-Updates, the decision and
> the reasoning, so it's available for similar situations in the future.
> Note that we might also want to strongly recommend NSEC3 as part of DNSSECbis
> there, but these are separate issues.
> 

heh :)

in waiting for the chairs, i preemptively wrote this earlier today:


5.2.  Support for NSEC3 Denial of Existence

   Note that these algorithms have no aliases to signal NSEC3 denial of
   existence.  The aliases mechanism used in RFC5155 was to protect
   implementations predating that RFC from encountering records they
   could not know about.

   Implementations that support RSA/SHA-2 algorithms SHOULD also
   implement NSEC3 denial of existence [RFC5155].

   If an implementation chooses not to support NSEC3, it MUST at the
   very least recognize NSEC3 Resource Records and treat any zone that
   uses those as unsigned, after verifying the signatures on those
   records.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkk/47UACgkQ4nZCKsdOncUi1gCgyjNixFJLP9DAlbB5rvK6jA5V
MXkAoM1S8XPMBIGAWgKFznUMRZZYwMxs
=CV8x
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- [dnsext] Re: implied NSEC3 support in rsasha256
  - From: Wes Hardaker <wjhns1@hardakers.net>
- Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
  - From: Mark Andrews <Mark_Andrews@isc.org>

References:
- Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
  - From: Sam Weiler <weiler@tislabs.com>
- Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
  - From: Mark Andrews <Mark_Andrews@isc.org>
- Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
  - From: Andrew Sullivan <ajs@shinkuro.com>
- Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
  - From: Matt Larson <mlarson@verisign.com>
- Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
  - From: Peter Koch <pk@DENIC.DE>

Prev by Date: Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
Next by Date: Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
Previous by thread: Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
Next by thread: Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
Index(es):
- Date
- Thread