On Fri, Mar 10, 2017 at 03:16:05PM +0000, Woodworth, John R wrote:
> > Is there a community of zone admins who want this so much that they
> > won't start signing until it exists?
> 
> With the draft's aliasing of algorithms, why couldn't (wouldn't) a zone
> at least experimenting with this be able to provide 2 sets of keys,
> one pre-NSEC5 and the other NSEC5 and forward?

I think the question pertains to whether it's worthwhile for us to adopt
this.

If there are operators who need NSEC5 badly enough that they won't deploy
DNSSEC until it exists, then it makes sense for the working group to take
it on. If it turns out, however, that everyone who might like NSEC5 is also
reasonably satisified with NSEC3, then we'd be wasting time on an academic
exercise.  It's clever, but it's only necessary if we broadly agree that
NSEC3 isn't meeting our needs.  I'm not sold on that point.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to