[dns-operations] Historical reminiscences (was Re: nsec vs nsec3 use)

Samuel Weiler weiler at watson.org
Wed Apr 14 16:46:09 UTC 2021

On Tue, 13 Apr 2021, Andrew Sullivan wrote:

> Hi,
> On Tue, Apr 13, 2021 at 12:40:08PM -0400, Viktor Dukhovni wrote:
>> NSEC3 was primarily designed for "opt-out", which actually
>> deliberately reduces security in order to gain a more compact zone
>> with fewer records to sign. […]  While discouraging casual zone
>> walking is also a feature of NSEC3, this is a secondary benefit, that
>> is oversold.
> This is not how I recall the history.  What I recall was that there
> _was_ an opt-out (well, it was opt-in) proposed that was rejected
> mostly for political or maybe techno-political reasons.

This retelling is pretty reasonable.

I also think the DNSEXT chairs got the consensus call on opt-in wrong. 
There were at least two of us who opposed it yet were willing to stand 
aside and let it go through.  And while I sometimes feel called out by 
the camel discussions, looking back at namedroppers reminds me that 
one of my objections was complexity (which, of course, NSEC3 doubled 
down on).  I even floated a proposal for "opt-in planned 


> Maybe some others have a different memory of this, though?

The opt-in mess was 18 years ago.  I'm shocked that I still remember 
it in such detail.

-- Sam

More information about the dns-operations mailing list