Re: [DNSOP] Updated NSEC5 protocol spec and paper
Evan Hunt <each@isc.org> Fri, 10 March 2017 17:26 UTC
Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C6DC1296A5 for <dnsop@ietfa.amsl.com>; Fri, 10 Mar 2017 09:26:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OntoMH_oFIxF for <dnsop@ietfa.amsl.com>; Fri, 10 Mar 2017 09:26:57 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 567071296A4 for <dnsop@ietf.org>; Fri, 10 Mar 2017 09:26:57 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 67F553493E8; Fri, 10 Mar 2017 17:26:55 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 5B5C7216C1C; Fri, 10 Mar 2017 17:26:55 +0000 (UTC)
Date: Fri, 10 Mar 2017 17:26:55 +0000
From: Evan Hunt <each@isc.org>
To: "Woodworth, John R" <John.Woodworth@CenturyLink.com>
Message-ID: <20170310172655.GA92236@isc.org>
References: <CAHPuVdXTcSaVcN6fBbPy3e=PgRvg8=GemSN_YFhzX387x8YW-A@mail.gmail.com> <CFBF172D-FDD7-4DE1-B5C5-7C76A7792549@vpnc.org> <A05B583C828C614EBAD1DA920D92866BD06F4468@PODCWMBXEX501.ctl.intranet>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <A05B583C828C614EBAD1DA920D92866BD06F4468@PODCWMBXEX501.ctl.intranet>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kEBxhEbHDzJUsY-kc5WDH1fXUD4>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, "Ballew, Dean" <Dean.Ballew@CenturyLink.com>, 'Paul Hoffman' <paul.hoffman@vpnc.org>, 'JW' <jw@pcthink.com>
Subject: Re: [DNSOP] Updated NSEC5 protocol spec and paper
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 17:26:58 -0000
On Fri, Mar 10, 2017 at 03:16:05PM +0000, Woodworth, John R wrote: > > Is there a community of zone admins who want this so much that they > > won't start signing until it exists? > > With the draft's aliasing of algorithms, why couldn't (wouldn't) a zone > at least experimenting with this be able to provide 2 sets of keys, > one pre-NSEC5 and the other NSEC5 and forward? I think the question pertains to whether it's worthwhile for us to adopt this. If there are operators who need NSEC5 badly enough that they won't deploy DNSSEC until it exists, then it makes sense for the working group to take it on. If it turns out, however, that everyone who might like NSEC5 is also reasonably satisified with NSEC3, then we'd be wasting time on an academic exercise. It's clever, but it's only necessary if we broadly agree that NSEC3 isn't meeting our needs. I'm not sold on that point. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.
- [DNSOP] Updated NSEC5 protocol spec and paper Shumon Huque
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Dave Lawrence
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Paul Hoffman
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Paul Wouters
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Roy Arends
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Tim Wicinski
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Roy Arends
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Woodworth, John R
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Evan Hunt
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Warren Kumari
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Shumon Huque
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Frederico A C Neves
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- [DNSOP] Opt-in, zone enumeration and dnsext histo… Jim Reid
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Jim Reid
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Dave Lawrence
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Paul Hoffman
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Ralf Weber