On Tue, 13 Apr 2021, Andrew Sullivan wrote:
Hi,
On Tue, Apr 13, 2021 at 12:40:08PM -0400, Viktor Dukhovni wrote:
NSEC3 was primarily designed for "opt-out", which actually
deliberately reduces security in order to gain a more compact zone
with fewer records to sign. […] While discouraging casual zone
walking is also a feature of NSEC3, this is a secondary benefit, that
is oversold.
This is not how I recall the history. What I recall was that there
_was_ an opt-out (well, it was opt-in) proposed that was rejected
mostly for political or maybe techno-political reasons.
This retelling is pretty reasonable.
I also think the DNSEXT chairs got the consensus call on opt-in wrong.
There were at least two of us who opposed it yet were willing to stand
aside and let it go through. And while I sometimes feel called out by
the camel discussions, looking back at namedroppers reminds me that
one of my objections was complexity (which, of course, NSEC3 doubled
down on). I even floated a proposal for "opt-in planned
obsolescence".
...
Maybe some others have a different memory of this, though?
The opt-in mess was 18 years ago. I'm shocked that I still remember
it in such detail.
-- Sam
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
