Re: [dnsext] one algorithm number or two

[Mark Andrews <Mark_Andrews@isc.org>]

In message <a06240800c5674c7b3f73@[10.31.200.152]>, Edward Lewis writes:
> At 8:59 +1100 12/12/08, Mark Andrews wrote:
> 
> >	We can always go back and assign a NSEC only alias later
> >	if we end up seeing operational problems with the single
> >	assignment.
> 
> I have a hard time imagining the IETF effectively responding to an 
> operational problem in a timely fashion.
> 
> The question is, how confident are we that NSEC3 is "perfect" and 
> will not be supplanted by something else, in the same manner that 
> NSEC3 has supplanted NSEC (in many people's eyes)?

	Ed, validators essentially have to accept what zone operators
	sign with.  Having a second number for NSEC only does not
	change that.  If there is a problem with NSEC3 then we need
	to tell people to sign with NSEC.  Having a second number
	does not change that.  Having a single number doesn't prevent
	zone operators from signing using NSEC.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>