On Wednesday, March 11, 2015 10:02:31 AM Paul Hoffman wrote:
> Proposal: until there is evidence that there is a community that needs the
> features of NSEC5 that cannot be easily replicated in NSEC3, this WG does
> not consider a protocol change that would require every resolver to be
> updated.
I think that's reasonable.
On the other hand, I would still appreciate some feedback on the proposed
NSEC/NSEC3 -> NSEC5 transition mechanism, which is currently quite painful and
I consider it the weakest point of the proposal. I believe that finding an
alternative would make NSEC5 acceptable for more people.
Currently, the transition is done the same way as in NSEC -> NSEC3, using the
DNSKEY algorithm aliases. That time it was easy - only two aliases were
allocated for RSA and DSA with SHA-1. Right now, we have at least four
suitable algorithms: RSA with SHA-{256,512} and ECDSA P-{256,384}.
Jan
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
