[dns-operations] Historical reminiscences (was Re: nsec vs nsec3 use)

Andrew Sullivan ajs at anvilwalrusden.com
Tue Apr 13 23:33:53 UTC 2021


On Tue, Apr 13, 2021 at 12:40:08PM -0400, Viktor Dukhovni wrote:

>NSEC3 was primarily designed for "opt-out", which actually
>deliberately reduces security in order to gain a more compact zone
>with fewer records to sign. […]  While discouraging casual zone
>walking is also a feature of NSEC3, this is a secondary benefit, that
>is oversold.

This is not how I recall the history.  What I recall was that there
_was_ an opt-out (well, it was opt-in) proposed that was rejected
mostly for political or maybe techno-political reasons.  This actually
made DNSSEC look really problematic to deploy in one hugely important
TLD, which seemed like a pretty bad barrier.  Then (a) certain large
delegation-centric zone operator(s) from Europe (it's now kind of
ironic which the leader was) got a legal opinion that the GDPR would
raise problems for them due to zone walking[1], and so something else
had to be created.  The zone-walking-resistant NSEC3 was an
opportunity to reintroduce opt-out, and since NSEC3 was so obviously
useful only for TLDs the techno-political objections to opt-out were
somehow dissolved.

Maybe some others have a different memory of this, though?

Best regards,


[1] As I heard it told, even the lawyers agreed it was stupid, but it
was the consequence of some detail of the law.  This hearsay is not
admissible in any proceeding, I'm sure.

Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list