[dns-operations] [Ext] Historical reminiscences (was Re: nsec vs nsec3 use)

Wed Apr 14 17:17:07 UTC 2021

That all sounds about right to me, too.

I don’t remember ever yelling into a microphone at an IETF, but I do remember signing all of .com (without NSEC3) in the span of an hour-long dnsext meeting, to show that it was possible with affordable hardware in a reasonable amount of time.

Brian

> On Apr 14, 2021, at 6:49 AM, Edward Lewis <edward.lewis at icann.org> wrote:
> 
> On 4/13/21, 7:38 PM, "dns-operations on behalf of Andrew Sullivan" <dns-operations-bounces at dns-oarc.net on behalf of ajs at anvilwalrusden.com> wrote:
> 
> 
>> Maybe some others have a different memory of this, though?
> 
> I agree with that re-telling.
> 
> The idea of an opt-out/in existed prior to NSEC3, it was even implemented in experimental code but never released because the IETF didn't approve of it.  (I wasn't involved in that, but I knew of it.)
> 
> When I wrote the first signer (1997 or so), COM was too large to be done, much larger than any other zone even then, for the equipment available to me.  I managed to sign it by doing it in pieces.  While developing the protocol, we didn't want to treat any zone or even any kind of zone ("widely-delegated") as a special case.  That probably (as I wasn't working on it myself) led to the opt-out later on.
> 
> A while back I asked some involved in the NSEC3 development if they felt all the effort was worth it.  The answer was yes, it got DNSSEC past the privacy concerns, rightly or wrongly (doesn't matter) and into operations.  The context of my question were the growing revelations of code to reverse engineer the name chain.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!GjvTz_vk!EOdxu3O6xs7wik_vtzYm1ltvdltPaRzp0TOlBpoCatw4njiX5zET1BPjAFpltfI$ 