At 15:13 -0500 12/11/08, Andrew Sullivan wrote:
On Thu, Dec 11, 2008 at 02:40:17PM -0500, Edward Lewis wrote:But my preference is not to tie RSA/SHA-1 to NSEC3. It's known that I have been skeptical of NSEC3, to the irritation of a few people. There's no need to go into that again, not now and not here. Whether my skepticism is warranted or not, I feel that NSEC3 is still too immature to assume that it is an essential core element of DNS or DNSSEC.Does the above constitute an objection to the direction we've lately apparently been headed, which was to revert to one identifier? That is, you seem to be arguing against one identifier, and in favour of two. How strongly do you feel about it?
Against all sensibility, I think the wiser course is to use a second number again.
I don't like the precedent (either) - that is, using one algorithm number per crypto algorithm/hash per version of negative answer in play - I mean when NSEC5 is out there, will we be assigning three per algorithm?
I think until NSEC3 has an operational resume behind it can we start writing (non-negative answer) specs that assume NSEC3's implementation. The lack of experience (or that multiple proven interoperable full-release-level implementations exist) is why I lean to sticking with two numbers still.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Never confuse activity with progress. Activity pays more. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>