[dns-operations] NSEC3
Edward Lewis
Ed.Lewis at neustar.biz
Tue Jun 27 15:45:34 UTC 2006
At 16:11 +0200 6/27/06, Roy Arends wrote:
>On Jun 26, 2006, at 8:53 PM, Edward Lewis wrote:
>> I was told [that] to switch between NSEC and NSEC3 I would need a completely
>> different code base and would have to cut over all of my instances in
>> a flash - not just zone data but name server software. To me, that's
>> a high cost.
>
>I do not recall this.
>
>What I recall is that you indeed need new code to be able to support
>NSEC3, surprise, surprise.
>
>But that you can gradually roll-over, not 'cut over all of my instances in
>a flash'.
Along the line of being asked "why would you want to serve both NSEC
and NSEC3 at the same time?" it was said that a server couldn't serve
both up at the same time. That's not the same question, but I was
told that a NSEC3 capable authoritative server would not carry the
NSEC code. The rationale was that a server has to do very different
processing for NSEC and NSEC3, so how would it choose the code path?
This was said by at least one implementer in the room, probably
without considering how it could be done.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Nothin' more exciting than going to the printer to watch the toner drain...
More information about the dns-operations
mailing list