[dns-operations] NSEC3

Edward Lewis Ed.Lewis at neustar.biz
Mon Jun 26 18:53:38 UTC 2006

At 10:33 +0200 6/26/06, Olaf M. Kolkman wrote:

>In other words; the incremental costs for going from DNSSECbis to DNSSECter
>should be close to NULL at the authoritative server side...

That's not what I was led to believe at the workshop[1] in May.  I 
was told to switch between NSEC and NSEC3 I would need a completely 
different code base and would have to cut over all of my instances in 
a flash - not just zone data but name server software.  To me, that's 
a high cost.

Also, from 

:> Let's just take the .SE and RIPE zones.  What if they are the
:> only ones running NSEC when NSEC3 rolls out?  Do we force
:> them to undo DNSSEC for a transition phase to be like the
:> rest of the world as a penalty for being early adopters?
:If it is necessary to do so: yes.

That thread focused on the lack of a transition plan for NSEC3.  I 
think that having to undo work is a non-trivial.

Disclaimer:  As stated in 
"I suggest that unless Ed plans to actually deploy NSEC3 he should 
not be permitted to attach new requirements for advancement at this 
late stage in the process."  So, take my concerns with a grain of 

[1] http://www.nsec3.org/cgi-bin/trac.cgi/wiki/Workshop1
Edward Lewis                                                +1-571-434-5468

Nothin' more exciting than going to the printer to watch the toner drain...

More information about the dns-operations mailing list