On 25-11-2021 13:00, Petr Špaček wrote:
On 25. 11. 21 9:33, Matthijs Mekking wrote:
3.2. Recommendation for validating resolvers
I understand why the new text is here, but I think this now actually
gives too little advice for operators and vendors.
I know, this is a vague comment, I need to think about it a bit more.
Honestly I can't see anything more specific which will not get out of
date quickly.
Can we make use of the keyword MAY? This allows I think for text that
will not get out of date:
Validating resolvers MAY return an insecure response when processing
NSEC3 records with iterations larger than 0. Validating resolvers MAY
also return SERVFAIL when processing NSEC3 records with iterations
larger than 0. This significantly decreases the requirements
originally specified in Section 10.3 of [RFC5155]. See the Security
Considerations for arguments on how to handle responses with non-zero
iteration count.
Having text that says "MAY do this at value X" is more quantifiable and
IMO a stronger signal that zone publishers really should not use value X.
Best regards,
Matthijs
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop