NSEC5 is a research paper, not a deployed standard. But thanks for calling this out, because it gives us an opportunity to reflect on the fact that, confronted with the problem of enumerable sensitive DNS labels, the best cryptographic minds of the IETF DNS working group came up with a 1990s password file.
One of the ways you can tell that DNSSEC advocates are operating in bad faith is by catching them attempting to argue that nothing in the DNS is secret to begin with. First, that's obvious gaslighting; disabling public zone transfers has been a security best practice since the mid-1990s, and no network security audit would fail to flag you for enabling them. Second, if the DNSSEC advocates actually believed that, they wouldn't have done NSEC3, whitelies, and (now, apparently, at some point in the distant future, NSEC5).
"DNS names aren't supposed to be secret" is not a good faith argument. It's not your argument: it is a popular trope of DNSSEC advocates. I don't mean to imply anything about you personally --- you're an anonymous abstraction to me, so there's nothing I could reasonably say about you as a person. But the argument you're making is what it is, and I've characterized it, I believe, accurately.
Later
I edited this slightly to make clear that I'm characterizing a trope, not an HN thread.
> "DNS names aren't supposed to be secret" is not a good faith argument.
Yes it is. Here I am, making it. It’s not even about DNSSEC; it has been the truth ever since the DNS itself was designed. Having secret data in DNS is doomed to fail in any number of ways, since DNS was never designed for it.
And you can’t get away with claiming “Oh, I wasn’t calling you a bad faith gaslighter, only other people. Who are making the same argument as you. And I am saying this in a reply to your comment for no reason in particular.”
Since you are, incredibly, doubling down on calling my argument a bad faith argument (instead of responding to it), I have no recourse but to leave it at that.
One of the ways you can tell that DNSSEC advocates are operating in bad faith is by catching them attempting to argue that nothing in the DNS is secret to begin with. First, that's obvious gaslighting; disabling public zone transfers has been a security best practice since the mid-1990s, and no network security audit would fail to flag you for enabling them. Second, if the DNSSEC advocates actually believed that, they wouldn't have done NSEC3, whitelies, and (now, apparently, at some point in the distant future, NSEC5).
Can't have it both ways on this.