Paul Hoffman writes: > Is there a community of zone admins who want this so much that they > won't start signing until it exists?
I think that question is a little extreme and need not go that far to determine whether something is worthwhile to pursue. My interest in NSEC5 is largely around the significant performance gains it has over NSEC3-WhiteLies, with double the throughout reported in "Can NSEC5 be Practical for DNSSEC Deployments" <https://eprint.iacr.org/2017/099.pdf>. We have a large number of zones that are not yet signed, and a non-trivial part of that is because of performance. NSEC5 has an impact in addressing that issue. Professionally, I'm somewhat less concerned about the enumeration issue because the at least some of the zones where I want to use it have highly structured names anyway. Enumerating them is trivial even in plain old non-DNSSEC DNS. In the other, less-structured zones that we already sign we use classic NSEC3 and are considering going to NSEC3-WL on behalf of customers that do care about it. We have online ksks for other features required of these zones. On a personal level I appreciate that this proposal enhances ksk security while addressing the enumeration problem. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop