[dns-operations] NSEC3

Paul Vixie paul at vix.com
Sat Jun 24 18:00:18 UTC 2006

i'm bringing this over to dns-operations@ for a gut check.  NSEC3 is coming,
and certain players (verisign and nominet among them) have said that they'll
not deploy DNSSEC-bis as it is (that is, without NSEC3) due to concerns about
zone enumeration etc which are expected to be resolved by NSEC3.

my estimate, having been through the deployment curve on DNSSEC-bis and prior,
is that we'll see an end to the kinds of design discussions shown in the 
attached e-mail by around winter 2006, and that we'll see a deployable RFC
with deployable code by around summer 2007, and that some large players such
as nominet and verisign will go into production by winter 2007, and the rest
of the industry (including browser and desktop-OS vendors) could roll out 
beginning spring 2008 if everything else looks workable and attractive.

if anything goes wrong-- if the whiteboards are wrong and NSEC3 ends up having
show-stopper design-level problems that aren't discovered until it gets out
of the lab and into various kinds of public testing-- then i estimate that we
would restart a 2-year timer at the moment that the show-stopper was found.

(before you call me pessimistic, plz realize that i've been right about every
other estimate i've made about dnssec deployment timing in the last 12 years,
except for the two times i wrongly said it would be within-one-year.)

so here's my question, which you should consider while reading the attached
e-mail which shows two of the designers of NSEC3 discussing basic design
principles for what i'm starting to call DNSSEC-ter in my mind.  "will you
and/or your organization dedicate any resources to DNSSEC-bis as it is?"

alternatives are all equivilent.  you could say "not until DNSSEC-ter" or
"not until everybody else has already deployed it and there's a market for it"
or just "never".  that doesn't matter to me, for the purpose of thinking about
BIND and DLV.  all i'm trying to suss out here is, "is DNSSEC-bis still alive?"


-------------- next part --------------
An embedded message was scrubbed...
From: Ben Laurie <ben at algroup.co.uk>
Subject: Re: NSEC3 Issue 18: signalling complete NSEC3 chains
Date: Sat, 24 Jun 2006 18:33:57 +0100
Size: 4949
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20060624/15281c7f/attachment.mht>

More information about the dns-operations mailing list