[dns-operations] Historical reminiscences (was Re: nsec vs nsec3 use)

Jaap Akkerhuis jaap at NLnetLabs.nl
Wed Apr 14 07:44:33 UTC 2021

 Andrew Sullivan writes:

About this part:

 > <...>
 > raise problems for them due to zone walking[1], and so something else
 > had to be created.  The zone-walking-resistant NSEC3 was an
 > opportunity to reintroduce opt-out, 
 > Maybe some others have a different memory of this, though?
 > [1] As I heard it told, even the lawyers agreed it was stupid, but it
 > was the consequence of some detail of the law.  This hearsay is not
 > admissible in any proceeding, I'm sure.

I do remember there was some discussion in Europe. At SIDN we (Where
I was at that time) commissioned some academic research (Tilburg
University I think) to see whether NSEC was interfering with privacy
concerns (including European regulations). The conclusion was it
didn't and got ignored.  So NSEC3 developing of NSEC3 started, The
opt-out thing got sneaked in and yes, the big zone problem was the
motive for that.


More information about the dns-operations mailing list