[dns-operations] [Ext] Historical reminiscences (was Re: nsec vs nsec3 use)

Blacka, David davidb at verisign.com
Mon Apr 19 13:26:20 UTC 2021

As someone who was closely involved at the time, and as one of the editors of RFC5155, I can assure you that Verisign's decision to use NSEC3 was not in any way related to GDPR, privacy, or zone-walking.  Optionality was (and remains) a requirement for signing the .COM zone due to its size.  We could've signed with NSEC if the "opt-in" feature had become a part of the standard.  But NSEC opt-in was rejected and so we embraced NSEC3 with opt-out.

David Blacka                      <davidb at verisign.com>
Verisign Fellow                   Product Engineering

On 4/14/21, 7:10 PM, "dns-operations on behalf of Dave Lawrence" <dns-operations-bounces at dns-oarc.net on behalf of tale at dd.org> wrote:

    Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 

    To me, Andrew's retelling of the facts but for the emphasis.

    There's stated reasons, then there's the motivating reasons. GDPR was
    useful in making the argument, but Verisign and the pain of .com were
    the real motivation.
    dns-operations mailing list
    dns-operations at lists.dns-oarc.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4817 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210419/70648b83/attachment.bin>

More information about the dns-operations mailing list