Re: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-07.txt

[Andrew Sullivan <ajs@shinkuro.com>]

On Thu, Dec 04, 2008 at 04:06:14PM +1100, Mark Andrews wrote:
> 	RFC5155 used different numbers because we *couldn't* use
> 	the same numbers.  That alone is not sufficient justification
> 	to have seperate numbers.

Note that the text merely says that it's in keeping with the previous
approach.  All that means is that there's a precedent; that isn't a
claim of justfication.
 
> 	The only reason to have different numbers is if the wg
> 	believes that there will be DNSSEC implementations in the
> 	future that will not support NSEC3.  Given that a number
> 	of TLD's intend to deploy NSEC3 I can't see any new
> 	implementation not including NSEC3 support.

Why not?  I might want to build a non-validating (authority only)
system that can nevertheless serve NSEC and not NSEC3 records.  It
wouldn't be useful for TLDs, but it might be useful elsewhere.  See
also Jelte's point about downgrades.

During WGLC, there appeared to be many strong arguments in favour of
separating these pieces, and I heard no arguments in favour of keeping
them joined.  So that's what we've decided to do.  Speaking
personally, it seems to me that on grounds of feature isolation, it's
preferable anyway.  But speaking as document shepherd, my impression
of the rough consensus was that people wanted the NSEC/NSEC3
issue to be separate from the SHA2 issue.  I haven't so far seen
anything to suggest otherwise.

Best regards,
Andrew

-- 
Andrew Sullivan
ajs@shinkuro.com
Shinkuro, Inc.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>