Re: [DNSOP] Call for Adoption: DNSSEC as BCP: draft-hoffman-dnssec

NSSEC, I found another RFC (RFC 7129) very helpful in understanding the motivation from NSEC to NSEC3, besides RFC 5155, but it is not listed in the draft above (maybe because it is for informational purposes?). https://datatracker.ietf.org/doc/rfc7129/ <https://datatracker.ietf.org/doc/rfc7

[DNSOP] The serial arithmetic involved in the comparison of the inception and expiration timestamp of RRSIG record

s the RRSIG will be valid for 68 years? (Of course the RRSIG should never be valid for a so long time) For example, something like `const uint32_t expiration = (uint32_t)((int32_t)inception + INT32_MAX)`? Thanks. -- Joey Deng ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Why does RFC 4035 allows a security-aware authoritative name server to not send RRSIG RRs that a security-aware resolver can use to authenticate the RRsets in the response?

similar to the result of type ANY query?). Thanks. -- Joey Deng ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] How does NSEC record(s) prove the Name Error?

wildcard record for the name .ietf.org? Do we need to prove that all the possible sources of synthesis for .ietf.org <http://.ietf.org/> appear in-between ietf.org. and _dmarc.ietf.org <http://dmarc.ietf.org/>? Or do we only need to prove that *.ietf.org <h

[DNSOP] Real world examples that contain DNSSEC secure `Wildcard Answer` or `Wildcard No Data`

ning, I guess? Therefore it is not what I expect to see. --- Could you give me some real world examples that contain DNSSEC Secure `Wildcard Answer` or `Wildcard No Data` as described by [RFC4035 3.1.3. Including NSEC RRs in a Response](https://datatracker.ietf.org