[dns-operations] Historical reminiscences (was Re: nsec vs nsec3 use)

Paul Vixie paul at redbarn.org
Wed Apr 14 00:30:56 UTC 2021

On Tue, Apr 13, 2021 at 07:33:53PM -0400, Andrew Sullivan wrote:
> ... What I recall was that there
> _was_ an opt-out (well, it was opt-in) proposed that was rejected
> mostly for political or maybe techno-political reasons.  This actually
> made DNSSEC look really problematic to deploy in one hugely important
> TLD, which seemed like a pretty bad barrier.  Then (a) certain large
> delegation-centric zone operator(s) from Europe (it's now kind of
> ironic which the leader was) got a legal opinion that the GDPR would
> raise problems for them due to zone walking[1], and so something else
> had to be created.  The zone-walking-resistant NSEC3 was an
> opportunity to reintroduce opt-out, and since NSEC3 was so obviously
> useful only for TLDs the techno-political objections to opt-out were
> somehow dissolved.
> Maybe some others have a different memory of this, though?

that matches my recollection. there are other story elements, such as
the working group meeting that devolved to queues of people shouting
at each other from various microphones.

ultimately, dnssec was NOT going to be deployed, even a little, without
opt-in/out. however, first we had to uglify, complexify, and add another
three to four years of "ideology delay".

Paul Vixie

More information about the dns-operations mailing list