Re: [DNSOP] Updated NSEC5 protocol spec and paper

Evan Hunt <each@isc.org> Fri, 10 March 2017 17:26 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C6DC1296A5 for <dnsop@ietfa.amsl.com>; Fri, 10 Mar 2017 09:26:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OntoMH_oFIxF for <dnsop@ietfa.amsl.com>; Fri, 10 Mar 2017 09:26:57 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 567071296A4 for <dnsop@ietf.org>; Fri, 10 Mar 2017 09:26:57 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 67F553493E8; Fri, 10 Mar 2017 17:26:55 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 5B5C7216C1C; Fri, 10 Mar 2017 17:26:55 +0000 (UTC)
Date: Fri, 10 Mar 2017 17:26:55 +0000
From: Evan Hunt <each@isc.org>
To: "Woodworth, John R" <John.Woodworth@CenturyLink.com>
Message-ID: <20170310172655.GA92236@isc.org>
References: <CAHPuVdXTcSaVcN6fBbPy3e=PgRvg8=GemSN_YFhzX387x8YW-A@mail.gmail.com> <CFBF172D-FDD7-4DE1-B5C5-7C76A7792549@vpnc.org> <A05B583C828C614EBAD1DA920D92866BD06F4468@PODCWMBXEX501.ctl.intranet>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <A05B583C828C614EBAD1DA920D92866BD06F4468@PODCWMBXEX501.ctl.intranet>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kEBxhEbHDzJUsY-kc5WDH1fXUD4>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, "Ballew, Dean" <Dean.Ballew@CenturyLink.com>, 'Paul Hoffman' <paul.hoffman@vpnc.org>, 'JW' <jw@pcthink.com>
Subject: Re: [DNSOP] Updated NSEC5 protocol spec and paper
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 17:26:58 -0000

On Fri, Mar 10, 2017 at 03:16:05PM +0000, Woodworth, John R wrote:
> > Is there a community of zone admins who want this so much that they
> > won't start signing until it exists?
> 
> With the draft's aliasing of algorithms, why couldn't (wouldn't) a zone
> at least experimenting with this be able to provide 2 sets of keys,
> one pre-NSEC5 and the other NSEC5 and forward?

I think the question pertains to whether it's worthwhile for us to adopt
this.

If there are operators who need NSEC5 badly enough that they won't deploy
DNSSEC until it exists, then it makes sense for the working group to take
it on. If it turns out, however, that everyone who might like NSEC5 is also
reasonably satisified with NSEC3, then we'd be wasting time on an academic
exercise.  It's clever, but it's only necessary if we broadly agree that
NSEC3 isn't meeting our needs.  I'm not sold on that point.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.