Alvaro Retana has entered the following ballot position for draft-ietf-dnsop-nsec3-guidance-08: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec3-guidance/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Should this document formally Update RFC5155? Besides providing "guidance on setting NSEC3 parameters", there is also Normative language that seems similar to what is in rfc5155, but not the same. For example: In §3.2 this document says: Validating resolvers MAY return an insecure response to their clients when processing NSEC3 records with iterations larger than 0. Note also that a validating resolver returning an insecure response MUST still validate the signature over the NSEC3 record to ensure the iteration count was not altered since record publication (see [RFC5155] section 10.3). I couldn't find text in rfc5155 about how returning insecure responses is optional, but I did find this in §10.3 that seems related to the validation requirement: A resolver MAY treat a response with a higher value as insecure, after the validator has verified that the signature over the NSEC3 RR is correct. Reading further, §3.2 does say that "this specification updates [RFC5155]", but there's no indication in the header or anywhere else. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
