[dns-operations] Historical reminiscences (was Re: nsec vs nsec3 use)
weiler at watson.org
Wed Apr 14 16:46:09 UTC 2021
On Tue, 13 Apr 2021, Andrew Sullivan wrote:
> On Tue, Apr 13, 2021 at 12:40:08PM -0400, Viktor Dukhovni wrote:
>> NSEC3 was primarily designed for "opt-out", which actually
>> deliberately reduces security in order to gain a more compact zone
>> with fewer records to sign. […] While discouraging casual zone
>> walking is also a feature of NSEC3, this is a secondary benefit, that
>> is oversold.
> This is not how I recall the history. What I recall was that there
> _was_ an opt-out (well, it was opt-in) proposed that was rejected
> mostly for political or maybe techno-political reasons.
This retelling is pretty reasonable.
I also think the DNSEXT chairs got the consensus call on opt-in wrong.
There were at least two of us who opposed it yet were willing to stand
aside and let it go through. And while I sometimes feel called out by
the camel discussions, looking back at namedroppers reminds me that
one of my objections was complexity (which, of course, NSEC3 doubled
down on). I even floated a proposal for "opt-in planned
> Maybe some others have a different memory of this, though?
The opt-in mess was 18 years ago. I'm shocked that I still remember
it in such detail.
More information about the dns-operations