[dnsext] draft-ietf-dnsext-dnssec-bis-updates and NSEC3

[Paul Hoffman <paul.hoffman@vpnc.org>]

The list traffic makes it sound like we all believe that NSEC3 is now really part of DNSSEC deployment. If so, draft-ietf-dnsext-dnssec-bis-updates should say so, given that we want that document to reflect reality. Humorously, that draft doesn't even *mention* NSEC3, despite the overlap in authors.

Proposals for draft-ietf-dnsext-dnssec-bis-updates:

- Add a new section 2.1 that describes NSEC3, says that it is expected to be used in many high-profile zones, and has been widely deployed in resolvers. Say explicitly that DNSSEC is now defined to include NSEC3, although it is expected that some resolvers will only handle NSEC until they are updated.

- Update current sections 2.1, 2.3, 2.4, 2.5, and 4.2 to indicate "NSEC and/or NSEC3" as appropriate.

- Change the status of the document to say that it updates 4033 as well.

- Add a new sub-section at the end of section 3 that says that RSA-SHA256 is now part of DNSSEC

- Add normative references to RFC 5155 and RFC-from-draft-ietf-dnsext-dnssec-rsasha256.

Do folks agree with this method of letting the world know that NSEC3 is required for DNSSEC?

--Paul Hoffman, Director
--VPN Consortium

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>