Re: [dnsext] draft-ietf-dnsext-dnssec-bis-updates and NSEC3

[Samuel Weiler <weiler@tislabs.com>]

On Thu, 11 Dec 2008, Paul Hoffman wrote:

> The list traffic makes it sound like we all believe that NSEC3 is now really part of DNSSEC deployment. If so, draft-ietf-dnsext-dnssec-bis-updates should say so, given that we want that document to reflect reality. Humorously, that draft doesn't even *mention* NSEC3, despite the overlap in authors.
>
> Proposals for draft-ietf-dnsext-dnssec-bis-updates:
>
> - Add a new section 2.1 that describes NSEC3, says that it is 
> expected to be used in many high-profile zones, and has been widely 
> deployed in resolvers. Say explicitly that DNSSEC is now defined to 
> include NSEC3, although it is expected that some resolvers will only 
> handle NSEC until they are updated.

You might be amused to know that such text already exist in the doc's 
XML source, just commented out.  In -04 and previous versions, this 
document proposed cataloging all known changes to 4033-5, including 
4470 and NSEC3.  Presumably 4955, 5011, and 4509 could be included now 
as well.  I'm not recalling why we never included that text -- it may 
have been that someone objected to expanding the scope of bis-updates.

As to whether we should including this, doc editor hat off: probably. 
Doc editor hat back on: rather than fold this into the existing 
section 2 or 3, I'm inclined to add a new section cataloging the 
changes made in other documents.

> - Update current sections 2.1, 2.3, 2.4, 2.5, and 4.2 to indicate 
> "NSEC and/or NSEC3" as appropriate.

Absolutely, except not in 2.5 (that error is specific to NSEC).

> - Change the status of the document to say that it updates 4033 as well.

Why?

-- Sam


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>