> On 10 Mar 2017, at 18:30, Frederico A C Neves <fne...@registro.br> wrote: > > I know others have already stated this but zone enumeration, at least > at that time, was never the real reason for NSEC3, size of signing > zones with mostly unsigned delegations was. This was only needed > because of the wg lack of management and sensibility to operators > needs leading to the historical debacle of opt-in.
There’s some selective rewriting of history going on here Fred. Zone enumeration was an absolute showstopper for a bunch of European ccTLDs. They said they would not deploy DNSSEC-bis under any circumstances. I distinctly remember several conversations with the board and management of Nominet about this, their willingness to spend “whatever it took” to get NSEC3 done, and how long it would take the IETF to finish that new protocol. AFAICT the size of the signed zone or the time it took to sign was not a significant concern for those TLDs. Opt-in was largely a side issue in the development of DNSSEC-ter, albeit an important one for Verisign. Roy Arends invented opt-in while DNSSEC-bis was being developed ~15 years ago. [I was his boss at the time and deeply unhappy that opt-in was going to create so much controversy that it would delay completion of DNSSEC-bis for at least a year or two. The company we worked for planned to sell DNS software that supported this new-fangled DNSSEC thing, so there were business drivers to get DNSSEC finalised quickly.] There was a *very* long and tedious argument in dnsext about opt-in. The eventual consensus in the WG was authenticated proof of non-existence mattered. So opt-in for DNSSEC-bis got killed and DNSSEC-bis was finally pushed out the door. After DNSSEC-bis was done, work began on DNSEC-ter. Opt-in got dug up. Or hadn’t really gone away. By then the WG was long past caring and had no appetite to repeat the same arguments about authenticated proof of non-existence all over again. So opt-in found its way into the DNSEC-ter spec. Verisign might well have said then that signing .com/.net/.org wouldn’t happen unless they got a protocol than included opt-in. [They may have made (and lost?) the same argument when work DNSSEC-bis was under way.] But that would have been after dnsext had already decided to do DNSSEC-ter and solve the zone enumeration problem that had effectively killed DNSSEC-bis deployment at birth. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop