On Mar 6, 2012, at 3:05 PM, Jakob Schlyter wrote: >> The one difference that comes to mind is that NSEC3 doesn't make a lot sense >> in the reverse space, as anyone can walk the zones anyway, so we (LACNIC) >> will be using NSEC for signed negative responses. > > Except perhaps for IPv6 ?
Wasn't the argument that you could effectively distinguish between 'dead branches' and empty non-terminals by looking at NXDOMAIN vs NOERROR/empty answer, and thus enumerate at each label and dive deeper if the branch is not dead? --Olaf ________________________________________________________ Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
