[dns-operations] NSEC3
Roy Arends
roy at dnss.ec
Tue Jun 27 14:11:01 UTC 2006
On Jun 26, 2006, at 8:53 PM, Edward Lewis wrote:
> At 10:33 +0200 6/26/06, Olaf M. Kolkman wrote:
>
>> In other words; the incremental costs for going from DNSSECbis to
>> DNSSECter
>> should be close to NULL at the authoritative server side...
>
> That's not what I was led to believe at the workshop[1] in May.
I was there as well, but ....
> I
> was told to switch between NSEC and NSEC3 I would need a completely
> different code base and would have to cut over all of my instances in
> a flash - not just zone data but name server software. To me, that's
> a high cost.
I do not recall this.
What I recall is that you indeed need new code to be able to support
NSEC3, surprise, surprise.
But that you can gradually roll-over, not 'cut over all of my
instances in a flash'.
> Disclaimer: As stated in
> http://ops.ietf.org/lists/namedroppers/namedroppers.2006/
> msg00664.html:
> "I suggest that unless Ed plans to actually deploy NSEC3 he should
> not be permitted to attach new requirements for advancement at this
> late stage in the process." So, take my concerns with a grain of
> salt.
Okay.
Roy
More information about the dns-operations
mailing list