[dns-operations] NSEC3
Edward Lewis
Ed.Lewis at neustar.biz
Mon Jun 26 18:53:38 UTC 2006
At 10:33 +0200 6/26/06, Olaf M. Kolkman wrote:
>In other words; the incremental costs for going from DNSSECbis to DNSSECter
>should be close to NULL at the authoritative server side...
That's not what I was led to believe at the workshop[1] in May. I
was told to switch between NSEC and NSEC3 I would need a completely
different code base and would have to cut over all of my instances in
a flash - not just zone data but name server software. To me, that's
a high cost.
Also, from
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/msg00680.html
:> Let's just take the .SE and RIPE zones. What if they are the
:> only ones running NSEC when NSEC3 rolls out? Do we force
:> them to undo DNSSEC for a transition phase to be like the
:> rest of the world as a penalty for being early adopters?
:
:If it is necessary to do so: yes.
That thread focused on the lack of a transition plan for NSEC3. I
think that having to undo work is a non-trivial.
Disclaimer: As stated in
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/msg00664.html:
"I suggest that unless Ed plans to actually deploy NSEC3 he should
not be permitted to attach new requirements for advancement at this
late stage in the process." So, take my concerns with a grain of
salt.
[1] http://www.nsec3.org/cgi-bin/trac.cgi/wiki/Workshop1
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Nothin' more exciting than going to the printer to watch the toner drain...
More information about the dns-operations
mailing list