Hi, On Tue, Apr 13, 2021 at 12:40:08PM -0400, Viktor Dukhovni wrote:
NSEC3 was primarily designed for "opt-out", which actually deliberately reduces security in order to gain a more compact zone with fewer records to sign. […] While discouraging casual zone walking is also a feature of NSEC3, this is a secondary benefit, that is oversold.
This is not how I recall the history. What I recall was that there _was_ an opt-out (well, it was opt-in) proposed that was rejected mostly for political or maybe techno-political reasons. This actually made DNSSEC look really problematic to deploy in one hugely important TLD, which seemed like a pretty bad barrier. Then (a) certain large delegation-centric zone operator(s) from Europe (it's now kind of ironic which the leader was) got a legal opinion that the GDPR would raise problems for them due to zone walking[1], and so something else had to be created. The zone-walking-resistant NSEC3 was an opportunity to reintroduce opt-out, and since NSEC3 was so obviously useful only for TLDs the techno-political objections to opt-out were somehow dissolved. Maybe some others have a different memory of this, though? Best regards, A [1] As I heard it told, even the lawyers agreed it was stupid, but it was the consequence of some detail of the law. This hearsay is not admissible in any proceeding, I'm sure. -- Andrew Sullivan [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
