On Dec 11, 2008, at 10:51 PM, Paul Hoffman wrote:
The list traffic makes it sound like we all believe that NSEC3 is now really part of DNSSEC deployment. If so, draft-ietf-dnsext- dnssec-bis-updates should say so, given that we want that document to reflect reality. Humorously, that draft doesn't even *mention* NSEC3, despite the overlap in authors.
Heh, true. Actually, the working copy I have does mention NSEC3, but that is because it contains a clarification to 5155 that was discovered in Minneapolis (Roy posted the basic text that I added). So, the next version will also update 5155 (unless the WG objects, of course).
Proposals for draft-ietf-dnsext-dnssec-bis-updates:- Add a new section 2.1 that describes NSEC3, says that it is expected to be used in many high-profile zones, and has been widely deployed in resolvers. Say explicitly that DNSSEC is now defined to include NSEC3, although it is expected that some resolvers will only handle NSEC until they are updated.- Update current sections 2.1, 2.3, 2.4, 2.5, and 4.2 to indicate "NSEC and/or NSEC3" as appropriate.- Change the status of the document to say that it updates 4033 as well.- Add a new sub-section at the end of section 3 that says that RSA- SHA256 is now part of DNSSEC- Add normative references to RFC 5155 and RFC-from-draft-ietf- dnsext-dnssec-rsasha256.Do folks agree with this method of letting the world know that NSEC3 is required for DNSSEC?
I think I would be more inclined to add this sort of thing to a new section, personally. I don't really see it in the same vein as the other "Significant Concerns". Instead, these are updates to 4033 section 10, expanding the DNSSEC Security Document Family. But, I can be flexible.
-- David Blacka <davidb@verisign.com> Sr. Engineer Platform Product Development
Attachment:
smime.p7s
Description: S/MIME cryptographic signature