On Tue, Apr 13, 2021 at 07:33:53PM -0400, Andrew Sullivan wrote: > ... What I recall was that there > _was_ an opt-out (well, it was opt-in) proposed that was rejected > mostly for political or maybe techno-political reasons. This actually > made DNSSEC look really problematic to deploy in one hugely important > TLD, which seemed like a pretty bad barrier. Then (a) certain large > delegation-centric zone operator(s) from Europe (it's now kind of > ironic which the leader was) got a legal opinion that the GDPR would > raise problems for them due to zone walking[1], and so something else > had to be created. The zone-walking-resistant NSEC3 was an > opportunity to reintroduce opt-out, and since NSEC3 was so obviously > useful only for TLDs the techno-political objections to opt-out were > somehow dissolved. > > Maybe some others have a different memory of this, though?
that matches my recollection. there are other story elements, such as the working group meeting that devolved to queues of people shouting at each other from various microphones. ultimately, dnssec was NOT going to be deployed, even a little, without opt-in/out. however, first we had to uglify, complexify, and add another three to four years of "ideology delay". -- Paul Vixie _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
