On Thu, Mar 14, 2024 at 2:45 AM Peter Thomassen <pe...@desec.io> wrote:
> Hi Shumon et al., > > On 3/5/24 08:15, internet-dra...@ietf.org wrote: > > Internet-Draft draft-ietf-dnsop-compact-denial-of-existence-03.txt is now > > available. It is a work item of the Domain Name System Operations > (DNSOP) WG > > of the IETF. > > I added a PR with some suggestions here: > https://github.com/shuque/id-dnssec-compact-lies/pull/3 > > The PR just has the suggestions, with no rationale. If anything's > contentious or the rationale less obvious than I thought: apologies; happy > to provide it! > Thanks, will review .. > Also, two questions: > > Section 2: > > An alternative way to distinguish NXDOMAIN from ENT is to define > the synthetic Resource Record type for ENTs [...] This typically imposes > less work on the server since NXDOMAIN responses are a lot more common than > ENTs. > > Not sure in what regard this is "less" work -- an NSEC record has to be > signed in any case? > Less work because ENTs are less common than NXDOMAIN, so the authoritative server has to add the pseudo-type to the NSEC record less often. Also, since the ENT exists in the zone, the authority server could in theory pre-compute and cache the signed NSEC associated with it. > Section 4.1 > > This section describes an optional but recommended scheme > > How do "optional" and "recommended" relate to the corresponding uppercase > keywords (which don't apply at the same time)? > I was having a discussion with some folks about this point yesterday at the hackathon. I was initially avoiding the keyword term "SHOULD" since it tends to carry a stronger connotation (e.g. only ignore doing this if you have a very good reason), and that sometimes antagonizes people. We know there are some resolver implementers that don't want to complicate their code just to make Compact Denial work better. If the working group is amenable though, we would be happy to add SHOULD or RECOMMENDED. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
