> -----Original Message----- > From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Paul Hoffman > > On 7 Mar 2017, at 7:29, Shumon Huque wrote: > > > We've requested an agenda slot at the DNSOP working group meeting at > > IETF98 to talk about the NSEC5 protocol. Our chairs have requested > > that we send out a note to the group ahead of time, so here it is. > > > > This protocol has not to our knowledge been presented at dnsop before, > > but has been discussed previously at other IETF venues, such as SAAG. > > The protocol described in draft-vcelak-nsec5 has improved since it > was first presented, but it is still unclear why we should adopt it > as part of DNSSEC. The benefits listed in the draft are real, but they > come at a very steep cost for zone administrators who might use NSEC5. >
Hi Paul, Apologies, I am somewhat new to this draft (and admittedly to the process) but what I read was a very elegant solution to this steep cost. The authors seem to have gone through great pains to bridge this period of incompatibility. > > Is there a community of zone admins who want this so much that they > won't start signing until it exists? > With the draft's aliasing of algorithms, why couldn't (wouldn't) a zone at least experimenting with this be able to provide 2 sets of keys, one pre-NSEC5 and the other NSEC5 and forward? I might be missing something here but I think I may actually love the simplicity of it and it seems to be at least a viable bridge to NSEC5 as part of the future. This seems to be a great use of what RFC-4035 and RFC-6840 hint at regarding multiple keys/ multiple signatures. Best regards, John > > Short of that, is there a community of zone admins who are using > NSEC/NSEC3 white lies who find this to be a significant improvement? > > If not, adopting this seems like a bad idea. No one can operationally > sign with NSEC5 until nearly all validators have it installed. In the > meantime, a zone admin who cares about zone enumeration and wants to > sign will use white lies, and those who don't care about zone > enumeration won't pay any attention to this. > > Even though this document has some really nice design decisions in > it, should it be adopted in DNSSEC unless it is likely to be > deployed? > > --Paul Hoffman > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- THESE ARE THE DROIDS TO WHOM I REFER: This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop