[dns-operations] NSEC3

Olaf M. Kolkman olaf at NLnetLabs.nl
Mon Jun 26 08:33:11 UTC 2006

Hi Paul and others,


> (before you call me pessimistic, plz realize that i've been right  
> about every
> other estimate i've made about dnssec deployment timing in the last  
> 12 years,
> except for the two times i wrongly said it would be within-one-year.)

For what its worth I think that your estimates here are within the  
same order of magnitude as that I would make them. I'd be a bit more  
optimistic but then again, I've been proven a bit to optimistic at  

> so here's my question, which you should consider while reading the  
> attached
> e-mail which shows two of the designers of NSEC3 discussing basic  
> design
> principles for what i'm starting to call DNSSEC-ter in my mind.   
> "will you
> and/or your organization dedicate any resources to DNSSEC-bis as it  
> is?"
> alternatives are all equivilent.  you could say "not until DNSSEC- 
> ter" or
> "not until everybody else has already deployed it and there's a  
> market for it"
> or just "never".  that doesn't matter to me, for the purpose of  
> thinking about
> BIND and DLV.  all i'm trying to suss out here is, "is DNSSEC-bis  
> still alive?"

I think it is fair to take the following into account when answering  
that question.

Anybody at the provisioning side of the DNS (authoritative servers)  
that do not have the same requirements as
Nominum and Denic [1] or as Verisign [2], there is no need to wait  
for DNSSECter.

DNSSECter is designed to be backward compatible with DNSSECbis. If  
people sign their zones today their zones will be verified by  
DNSSECter validators.

People that deploy DNSSECbis validators, e.g. in recursive  
nameservers, will at the introduction of DNSSECter see DNSSECter  
zones as "unsecured" and will benefit of security in those zones only  
after upgrading their software.

In other words; the incremental costs for going from DNSSECbis to  
DNSSECter should be close to NULL at the authoritative server side.  
At the 'client' side the incremental costs are mostly in  
understanding the DNSSECter technology (in order to do  
troubleshooting) and deploying new software.

As for the answer to your question; Yes, NLnet Labs dedicates many  
resources into deploying DNSSEC-bis as is, not even in its own  
environment but also in support of others :-)...


To paraphrase those requirements:
[1] --- the requirement for non-disclosure of zonecontent through  
[2] -- the need to be able to introduce DNSSEC in .com without seeing  
several Giga Bytes of core-growth and the need for generating several  
tens of millions of RRSIGs after their deployment flag date;

Olaf M. Kolkman
NLnet Labs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 227 bytes
Desc: This is a digitally signed message part
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20060626/579879d3/attachment.sig>

More information about the dns-operations mailing list