[dns-operations] [Ext] Historical reminiscences (was Re: nsec vs nsec3 use)

Edward Lewis edward.lewis at icann.org
Wed Apr 14 13:49:58 UTC 2021

On 4/13/21, 7:38 PM, "dns-operations on behalf of Andrew Sullivan" <dns-operations-bounces at dns-oarc.net on behalf of ajs at anvilwalrusden.com> wrote:

>Maybe some others have a different memory of this, though?

I agree with that re-telling.

The idea of an opt-out/in existed prior to NSEC3, it was even implemented in experimental code but never released because the IETF didn't approve of it.  (I wasn't involved in that, but I knew of it.)

When I wrote the first signer (1997 or so), COM was too large to be done, much larger than any other zone even then, for the equipment available to me.  I managed to sign it by doing it in pieces.  While developing the protocol, we didn't want to treat any zone or even any kind of zone ("widely-delegated") as a special case.  That probably (as I wasn't working on it myself) led to the opt-out later on.

A while back I asked some involved in the NSEC3 development if they felt all the effort was worth it.  The answer was yes, it got DNSSEC past the privacy concerns, rightly or wrongly (doesn't matter) and into operations.  The context of my question were the growing revelations of code to reverse engineer the name chain.

More information about the dns-operations mailing list