[dnssec-deployment] NSEC3 progress

Ben Laurie ben at algroup.co.uk
Tue May 24 18:37:43 EDT 2005


Sam Weiler wrote:
> On Tue, 24 May 2005, Steve Crocker wrote:
> 
> 
>>The NSEC problem is also high on the list. Whether we can hustle 
>>NSEC3 fast enough is more problematical.  I would not let up any 
>>pressure on these at all.
> 
> 
> It looks to me like we already have let up the pressure.  Or, perhaps 
> more correctly, the proponents of NSEC3 have let up the pressure. 
> The last NSEC3 draft revision came out over three months ago, and 
> there hasn't been a peep about it on the list[1] since April 1st.
> 
> That says to me that people don't care very much.  Perhaps the 
> proponents of it have decided that the epsilon approach is sufficient,
> or they simply don't want to do DNSSEC at all?

It is not that we don't care. The situation is that we're working on a
new draft including what everyone has asked for: corrections of various
kinds, and much more importantly, worked examples and a clear
explanation of the at most three records needed to do a denial,
including wildcards.

This is a fair chunk of work. Expect an update.

It seems to me quite inappropriate to characterise the importance or
relevance of an approach by the amount of list bandwidth it uses up. We
believe in DNSSEC and NSEC3, we want it to happen, we don't want to
waste your time on considering half-baked versions of it.

Cheers,

Ben.



More information about the Dnssec-deployment mailing list