If the NXDOMAIN response is secure, your "ND" bit would at worst be harmless if it were faked, unless you're proposing that the ND bit be retained permanently!
On Wed, Apr 6, 2016 at 2:58 PM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > On Wed, Apr 06, 2016 at 02:33:28PM -0300, > George Michaelson <g...@algebras.org> wrote > a message of 38 lines which said: > > > I meant a form of signing, which would be a strong signal of > > repudiation of the label as well as exclusion of other holders of > > the label, so that it could be a first-class signal "not in the DNS" > > -> look in another internet-name lookup mechanism. > > A ND bit (NS = Not in DNS), as a flag in a NXDOMAIN response, would > not be signed with DNSSEC, so it requires a new kind of NSEC... > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop