[dns-operations] Historical reminiscences (was Re: nsec vs nsec3 use)

Jim Reid jim at rfc1035.com
Wed Apr 14 08:55:47 UTC 2021

> On 14 Apr 2021, at 01:30, Paul Vixie <paul at redbarn.org> wrote:
> that matches my recollection. there are other story elements, such as
> the working group meeting that devolved to queues of people shouting
> at each other from various microphones.

Paul, are you suggesting that’s only ever happened at *one* IETF WG meeting? :-)

> ultimately, dnssec was NOT going to be deployed, even a little, without
> opt-in/out. however, first we had to uglify, complexify, and add another
> three to four years of "ideology delay".

My memory of the details of those events is a bit different. A few big TLDs said they would not deploy DNSSEC-bis because it allowed zone enumeration and that’s what lead to the effort on DNSSEC-ter.

IIRC opt-in/out wasn’t a factor in those TLDs rejecting DNSSEC-bis. [Though it might well have been an issue for Verisign who were facing the prospect of signing zillions of delegations in .com/.net when it was expected only a handful of these would be likely to be signed.] The dnsext WG had debated opt-in at length while DNSSEC-bis was being developed. There was much shouting at the mikes at meetings and on the mailing lists about this topic. A chain of opt-in NSEC records would just yield the names of the signed delegations. Eventually the WG decided opt-in was bad because it prevented proof of non-existence. So DNSSEC-bis didn’t get to offer opt-in. 

However when work on DNSSEC-ter started, the proponents of opt-in were able to get this added to the spec. By then the WG was too exhausted and burnt out to rehash the previous arguments for yet another couple of years. The general mood was get DNSSEC-ter quickly out the door and close the WG. I think the concept got renamed to opt-out in RFC5155 because opt-in had become a far too contentious term for the WG.

More information about the dns-operations mailing list