The perfect is the enemy of the good. I suggest we first deploy NSEC0 which simply nulls out the whole NSEC/NXT issue entirely. At this point anyone who is deploying DNSSEC is helping the cause. Do not set membership requirements that exclude them.
Node insertion is a security concern for some DNSSEC applications but not for all. Implementing NSEC0 would not be a burden on validators. If nobody uses it then there is no harm to it. If people only use it for a short time during deployment then it is useful. If people use it and won't stop then that is proof of a demand for NSEC5. I completely reject your notion of where validation occurs and what the value is BTW but that is a different issue. Bottom line is that I do not depend on validators being deployed to the end points as I do not expect that to happen soon and quite possibly not ever. On Thu, Mar 9, 2017 at 12:31 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > On 7 Mar 2017, at 7:29, Shumon Huque wrote: > > We've requested an agenda slot at the DNSOP working group meeting at >> IETF98 to talk about the NSEC5 protocol. Our chairs have requested that >> we send out a note to the group ahead of time, so here it is. >> >> This protocol has not to our knowledge been presented at dnsop before, >> but has been discussed previously at other IETF venues, such as SAAG. >> > > The protocol described in draft-vcelak-nsec5 has improved since it was > first presented, but it is still unclear why we should adopt it as part of > DNSSEC. The benefits listed in the draft are real, but they come at a very > steep cost for zone administrators who might use NSEC5. > > Is there a community of zone admins who want this so much that they won't > start signing until it exists? > > Short of that, is there a community of zone admins who are using > NSEC/NSEC3 white lies who find this to be a significant improvement? > > If not, adopting this seems like a bad idea. No one can operationally sign > with NSEC5 until nearly all validators have it installed. In the meantime, > a zone admin who cares about zone enumeration and wants to sign will use > white lies, and those who don't care about zone enumeration won't pay any > attention to this. > > Even though this document has some really nice design decisions in it, > should it be adopted in DNSSEC unless it is likely to be deployed? > > --Paul Hoffman > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
