I can't find a draft to cite for this talk, so this refers to the slides presented.
"DNSSEC Protocol Modifications" (http://www.rfc-editor.org/rfc/rfc4035.txt) has an explicit prohibition on names owning only NSEC and RRSIG. Yeah. I'm not holding this up as a royal edict. But it's there in plain text. Fortunately there's a rationale why the requirement language is there, so there's a starting point to "work on this." "2.3. Including NSEC RRs in a Zone ... An NSEC record (and its associated RRSIG RRset) MUST NOT be the only RRset at any particular owner name."
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
