Re: [dnsext] one algorithm number or two

[Alex Bligh <alex@alex.org.uk>]

--On 11 December 2008 18:11:19 -0500 Edward Lewis <Ed.Lewis@neustar.biz> 
wrote:

> > 	We can always go back and assign a NSEC only alias later
> > 	if we end up seeing operational problems with the single
> > 	assignment.
>
> I have a hard time imagining the IETF effectively responding to an
> operational problem in a timely fashion.

I have a hard time working out what kind of operational problem
would require such action. Presumably a serious NSEC3 protocol
flaw that made it less usable than NSEC3 (i.e. not merely
in its non-enumerability qualities), COMBINED WITH an operational
requirement to move to rsasha256. If there is a realistic possibility
this might occur in a timescale quicker than it takes IETF to
allocate an algorithm number, why aren't we making rsasha256 support
mandatory anyway?

> The question is, how confident are we that NSEC3 is "perfect" and will
> not be supplanted by something else, in the same manner that NSEC3 has
> supplanted NSEC (in many people's eyes)?

No, I don't think that is the question. If NSEC3 is supplanted by something
else, we would presumably need signalling of that for all algorithms.
I think the question is "how confident are we that NSEC3 will not
be supplanted by NSEC" as it's only NSEC to which it is being proposed
that no algorithm number be allocated.

Alex

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>