[dns-operations] NSEC3

Edward Lewis Ed.Lewis at neustar.biz
Tue Jun 27 15:45:34 UTC 2006

At 16:11 +0200 6/27/06, Roy Arends wrote:
>On Jun 26, 2006, at 8:53 PM, Edward Lewis wrote:
>>  I was told [that] to switch between NSEC and NSEC3 I would need a completely
>>  different code base and would have to cut over all of my instances in
>>  a flash - not just zone data but name server software.  To me, that's
>>  a high cost.
>I do not recall this.
>What I recall is that you indeed need new code to be able to support
>NSEC3, surprise, surprise.
>But that you can gradually roll-over, not 'cut over all of my instances in
>a flash'.

Along the line of being asked "why would you want to serve both NSEC 
and NSEC3 at the same time?" it was said that a server couldn't serve 
both up at the same time.  That's not the same question, but I was 
told that a NSEC3 capable authoritative server would not carry the 
NSEC code.  The rationale was that a server has to do very different 
processing for NSEC and NSEC3, so how would it choose the code path?

This was said by at least one implementer in the room, probably 
without considering how it could be done.

Edward Lewis                                                +1-571-434-5468

Nothin' more exciting than going to the printer to watch the toner drain...

More information about the dns-operations mailing list