Stephane, At 2016-04-15 16:13:44 +0200 Stephane Bortzmeyer <bortzme...@nic.fr> wrote:
> On Sun, Apr 10, 2016 at 10:18:11AM -0400, > Tim Wicinski <tjw.i...@gmail.com> wrote > a message of 35 lines which said: > > > This starts a Call for Adoption for Aggressive use of NSEC/NSEC3 > > draft-fujiwara-dnsop-nsec-aggressiveuse > > I think it is an useful technique and I think the working group should > adopt it and work on it. I'm willing to review. > > I note there is some relationship with > draft-ietf-dnsop-nxdomain-cut. It is "NXDOMAIN cut plus synthesis (if > you have DNSSEC)". > > Technically speaking, the weakest point is about NSEC3: most zones > (except the root) are not signed with NSEC, and negative answers > synthesis with NSEC3 seems... difficult (at least for my brain). I think the draft covers NSEC3, although perhaps not in enough detail? My basic understanding is that NXDOMAIN synthesis is straightforward in concept if there is no opt-out (although perhaps tricky in implementation), and impossible if opt-out is used. Is there something I am missing? Also, I'm not sure that it is fair to say "most zones are not signed with NSEC". I guess most *TLD* are signed with NSEC3 either for zone size reasons or in a (misguided IMHO) attempt to keep the zone contents secret. But is this true for domains that are not delegation-only? And even if it is, are those zones opt-out? Cheers, -- Shane
pgpUjAc_dxYC7.pgp
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
