Petr Špaček <pspa...@isc.org> writes: > > 3.1. Best-practice for zone publishers > > I wonder if we can make the requirement even stronger by saying "If > > NSEC3 must be used, then an iterations count of 0 MUST be used to > > alleviate computational burdens." (MUST instead of SHOULD). > > Or is there a valid reason for zone publishers to set iterations to > > a non-zero value? > > This section is IMHO missing a scary warning to explain the > reasons. Let add one couple sentences (+ "extra" keyword to > differentiate it from the implicit single iteration): > > ---------- > If NSEC3 must be used, then an extra iterations count of 0 SHOULD be > used to alleviate computational burdens. > > Please note that extra iteration counts other than 0 increase impact > of resource CPU-exhausting DoS attacks, and also increase risk of > interoperability problems. > ----------
Sentence added -- seems wildly agreed upon. -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop