On 4/13/21, 7:38 PM, "dns-operations on behalf of Andrew Sullivan"
<dns-operations-boun...@dns-oarc.net on behalf of a...@anvilwalrusden.com>
wrote:
>Maybe some others have a different memory of this, though?
I agree with that re-telling.
The idea of an opt-out/in existed prior to NSEC3, it was even implemented in
experimental code but never released because the IETF didn't approve of it. (I
wasn't involved in that, but I knew of it.)
When I wrote the first signer (1997 or so), COM was too large to be done, much
larger than any other zone even then, for the equipment available to me. I
managed to sign it by doing it in pieces. While developing the protocol, we
didn't want to treat any zone or even any kind of zone ("widely-delegated") as
a special case. That probably (as I wasn't working on it myself) led to the
opt-out later on.
A while back I asked some involved in the NSEC3 development if they felt all
the effort was worth it. The answer was yes, it got DNSSEC past the privacy
concerns, rightly or wrongly (doesn't matter) and into operations. The context
of my question were the growing revelations of code to reverse engineer the
name chain.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
