I believe one of the authors of the paper works for a DNS Vendor, so it
would be interesting gauge deployment.
tim
On 3/9/17 12:31 PM, Paul Hoffman wrote:
On 7 Mar 2017, at 7:29, Shumon Huque wrote:
We've requested an agenda slot at the DNSOP working group meeting at
IETF98 to talk about the NSEC5 protocol. Our chairs have requested that
we send out a note to the group ahead of time, so here it is.
This protocol has not to our knowledge been presented at dnsop before,
but has been discussed previously at other IETF venues, such as SAAG.
The protocol described in draft-vcelak-nsec5 has improved since it was
first presented, but it is still unclear why we should adopt it as part
of DNSSEC. The benefits listed in the draft are real, but they come at a
very steep cost for zone administrators who might use NSEC5.
Is there a community of zone admins who want this so much that they
won't start signing until it exists?
Short of that, is there a community of zone admins who are using
NSEC/NSEC3 white lies who find this to be a significant improvement?
If not, adopting this seems like a bad idea. No one can operationally
sign with NSEC5 until nearly all validators have it installed. In the
meantime, a zone admin who cares about zone enumeration and wants to
sign will use white lies, and those who don't care about zone
enumeration won't pay any attention to this.
Even though this document has some really nice design decisions in it,
should it be adopted in DNSSEC unless it is likely to be deployed?
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
