[dns-operations] NSEC3

Roy Arends roy at dnss.ec
Tue Jun 27 14:11:01 UTC 2006

On Jun 26, 2006, at 8:53 PM, Edward Lewis wrote:

> At 10:33 +0200 6/26/06, Olaf M. Kolkman wrote:
>> In other words; the incremental costs for going from DNSSECbis to  
>> DNSSECter
>> should be close to NULL at the authoritative server side...
> That's not what I was led to believe at the workshop[1] in May.

I was there as well, but ....

> I
> was told to switch between NSEC and NSEC3 I would need a completely
> different code base and would have to cut over all of my instances in
> a flash - not just zone data but name server software.  To me, that's
> a high cost.

I do not recall this.

What I recall is that you indeed need new code to be able to support  
NSEC3, surprise, surprise.

But that you can gradually roll-over, not 'cut over all of my  
instances in a flash'.

> Disclaimer:  As stated in
> http://ops.ietf.org/lists/namedroppers/namedroppers.2006/ 
> msg00664.html:
> "I suggest that unless Ed plans to actually deploy NSEC3 he should
> not be permitted to attach new requirements for advancement at this
> late stage in the process."  So, take my concerns with a grain of
> salt.



More information about the dns-operations mailing list