[dnsext] one algorithm number or two

[Edward Lewis <Ed.Lewis@neustar.biz>]

The issue of whether to assign just one algorithm number or two 
algorithm numbers for RSA/SHA-2 is a result of there being no unified 
DNS definition.  I.e., you can't assume a DNS server fully implements 
RFC 1995, even if it is used to host the global public Internet's 
root zone.  The situation is not unique to this draft.

The document describing RSA/SHA-2 could elect to assign one number 
provided the specification require (MUST) compliance with RFC 5011 in 
all implementations (compliant with the new hash).

But my preference is not to tie RSA/SHA-1 to NSEC3.  It's known that 
I have been skeptical of NSEC3, to the irritation of a few people. 
There's no need to go into that again, not now and not here.  Whether 
my skepticism is warranted or not, I feel that NSEC3 is still too 
immature to assume that it is an essential core element of DNS or 
DNSSEC.

I know a lot of TLDs are planning on NSEC3.  But as of today, none 
are publishing their production zones with NSEC3 records.  Maybe they 
soon will, but I'm too old school to bet on the future.

I don't like having two separate algorithm numbers.  It makes more 
sense to use the one algorithm number route.

But I think having two numbers is a safer bet on the future.  Perhaps 
if NSEC3 has a proven track record, we can get by with assigning just 
one number.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>