[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[dnsext] explicit non-support of NSEC3

To: Andrew Sullivan <ajs@shinkuro.com>
Subject: [dnsext] explicit non-support of NSEC3
From: "Roy Arends" <roy@nominet.org.uk>
Date: Tue, 9 Dec 2008 16:10:19 +0100
Cc: namedroppers@ops.ietf.org
Domainkey-signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:In-Reply-To:References:To:Cc: Subject:MIME-Version:X-Mailer:Message-ID:From:Date: X-MIMETrack:Content-Type; b=p6uh5PJbgj5owecY8pv7RfPQqTe8Wvki7W7zNvAbyM9HT1VSUwDhDd+R QNkpC++XpFW1ecFWs9EJ4b5GJNk+sKJ5UYuYK5MsKtvvtdAGrF03G0Dze QjmbaXNyaJG4xDm;
In-reply-to: <20081209143420.GA8932@shinkuro.com>
References: <Pine.LNX.4.64.0809301237230.27246@mint> <200812090324.mB93OARV045445@drugs.dv.isc.org> <20081209143420.GA8932@shinkuro.com>

Andrew Sullivan wrote on 12/09/2008 03:34:21 PM:

> On Tue, Dec 09, 2008 at 02:24:10PM +1100, Mark Andrews wrote:
> 
> >         The only reason for having two numbers is if you believe
> >         there there is a reason to support validators which can do
> >         RSA/SHA-256 and not NSEC3.  I don't see a need to support
> >         that combination.
> 
> I determined during working group last call, however, that others
> _did_ see a need to support that combination.  Moreover, I buy the
> argument that we shouldn't link these two issues together.  If there
> is a validator that can't do NSEC3 and they find they suddently want
> to do SHA-2, why do we want to put an extra barrier in their way?

Such a validator _can_ implement SHA-2. Since such a validator explicitly 
does not implement NSEC3, it can now treat zones with these NSEC3 records 
as unsigned.
The method used in RFC5155 was to protect legacy validators against 
unknown extensions. Since RFC5155 is an integral part of DNSSEC, I see no 
reason to further forking the algorithm space. Imho, a validator does not 
have to understand NSEC3 to be able to validate, parse, or even signal its 
presence.

Regards,

Roy Arends
Sr. Researcher
Nominet UK

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
  - From: Sam Weiler <weiler@tislabs.com>
- Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
  - From: Mark Andrews <Mark_Andrews@isc.org>
- Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
  - From: Andrew Sullivan <ajs@shinkuro.com>

Prev by Date: Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
Next by Date: [dnsext] Working group workflow
Previous by thread: Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
Next by thread: Re: implied NSEC3 support in rsasha256 (was: [dnsext] Re: Working Group Last Call for draft-ietf-dnsext-dnssec-rsasha256-05)
Index(es):
- Date
- Thread