On 29 Sep 2004, at 00:56, David Farrar wrote:
However the issue of DNSSEC allowing the zone file to be revealed only became apparent at a later stage.
Incidentally, the by-product of NXT (now NSEC) which allows a zone to be enumerated has been widely publicised for a long time (for years). It is possible that you're suggesting that this is a new issue, or one that has only recently been identified by the DNSSEC architects. This is not true at all. The NXT-walking feature of DNSSEC was most definitely raised at the 2002 ICANN meeting in Shanghai, to which InternetNZ sent people. I helped teach a room full of ccTLD operators about DNSSEC immediately before that meeting (with Bill Manning) and we definitely talked through slides describing exactly how you could use NXT to extract the full contents of a zone. The geek.nz/DNSSEC implementation discussions didn't happen until the end of 2003. Claiming that the NXT/NSEC-walking issue was not apparent at the time that InternetNZ undertook to sign all second-level zones under NZ is just disingenuous. Joe