On Tue, Aug 8, 2023 at 9:21 AM Edward Lewis <edward.le...@icann.org> wrote:
> >Compact DoE, and RFC4470 already appear to violate it for ENT responses. > And it was (arguably) already violated by > > >pre-computed NSEC3 (5155), where an empty non-terminal name (or rather > the hash of it) does solely own an > > >NSEC3 record. > > > > NSEC3 is different. Because NSEC3 hashes the labels into a flat space, it > hides the in-zone structure, which is something a multi-label deep zone > [rather uncommon] would need. The impact is that empty non-terminals must > by represented in the NSEC3 chain to adequately prove a name does not have > records or subordinates (NXDOMAIN). > > > > Due to NSEC resource record exposing the full name involved, the resolver > can infer where empty, non-terminal names exist in the zone. This is the > reason behind the notion that at most two NSEC resource record sets are > needed to answer negatively, whereas up to three NSEC3 resource record sets > may be needed. > > > Thanks Ed. I have in-depth familiarity with all of this :) My original comment about NSEC3 was preceded by "arguably", and I probably should not have brought it up, as Compact DoE doesn't use NSEC3 and none of its subtle properties are relevant. I suggest we go back to focusing on NSEC and the relevant impacts. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop