[dns-operations] NSEC3

Edward Lewis Ed.Lewis at neustar.biz
Tue Jun 27 17:19:37 UTC 2006

At 18:15 +0200 6/27/06, Roy Arends wrote:

>>  The rationale was that a server has to do very different processing for
>>NSEC and NSEC3, so how would it choose the code path?
>non sequitur

Not exactly.  If a server is capable of both, how does it choose to 
answer with NSEC or with NSEC3.  Besides the difference between 
plaintext and hashed names, there's also a difference in what the 
records return.  For NSEC, you demonstrate that the name is absent. 
For NSEC3 you demonstrate that a closest encloser is present.

Although I can think of ways for a server to decide, at the time of 
the workshop (which was held before discussion about transition 
issues) it hadn't been considered.

>I'd like that implementer to step forward, if he/she actually exists.

I don't see any need to be so antagonistic.

The workshop consisted of mostly implementers, code writers, and the 
temper was mostly a desire to see of the code that had been built did 
what it was expected to do.  When a collection of implementers gather 
to discuss issues, generally the results are a recommendation to do 
what's easy to implement.  From this, being able to do both NSEC and 
NSEC3 was seen as "code bloat."

The workshop didn't test operational considerations.  For one, the 
test environment was wholly NSEC3, no NSEC at all. Secondly, none of 
the NSEC3 parameters were changed within a zone over the duration of 
the workshop, and the same parameters were used for all zones that 
were NSEC3'd.  I'm not the first one to bring this up, I'm repeating 
what others have said.

I'm not against NSEC3.  I'm against jumping with both feet into a 
pond before knowing how deep it is.  I'm also against jumping into a 
pond before I know that it is what I need to do, and what I want to 

This is not the first time operators will have to give DNSSEC a 
going-over.  This isn't a roadblock, it's another test.
Edward Lewis                                                +1-571-434-5468

Nothin' more exciting than going to the printer to watch the toner drain...

More information about the dns-operations mailing list