Re: [dnsext] one algorithm number or two

[Mark Andrews <Mark_Andrews@isc.org>]

In message <a06240801c5671883dffa@[10.31.200.152]>, Edward Lewis writes:
> The issue of whether to assign just one algorithm number or two 
> algorithm numbers for RSA/SHA-2 is a result of there being no unified 
> DNS definition.  I.e., you can't assume a DNS server fully implements 
> RFC 1995, even if it is used to host the global public Internet's 
> root zone.  The situation is not unique to this draft.
> 
> The document describing RSA/SHA-2 could elect to assign one number 
> provided the specification require (MUST) compliance with RFC 5011 in 
> all implementations (compliant with the new hash).
> 
> But my preference is not to tie RSA/SHA-1 to NSEC3.  It's known that 
> I have been skeptical of NSEC3, to the irritation of a few people. 
> There's no need to go into that again, not now and not here.  Whether 
> my skepticism is warranted or not, I feel that NSEC3 is still too 
> immature to assume that it is an essential core element of DNS or 
> DNSSEC.
> 
> I know a lot of TLDs are planning on NSEC3.  But as of today, none 
> are publishing their production zones with NSEC3 records.  Maybe they 
> soon will, but I'm too old school to bet on the future.
> 
> I don't like having two separate algorithm numbers.  It makes more 
> sense to use the one algorithm number route.
> 
> But I think having two numbers is a safer bet on the future.  Perhaps 
> if NSEC3 has a proven track record, we can get by with assigning just 
> one number.

	We can always go back and assign a NSEC only alias later
	if we end up seeing operational problems with the single
	assignment.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>