[DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-19 Thread Shane Kerr
Stephane, At 2016-04-15 16:13:44 +0200 Stephane Bortzmeyer wrote: > On Sun, Apr 10, 2016 at 10:18:11AM -0400, > Tim Wicinski wrote > a message of 35 lines which said: > > > This starts a Call for Adoption for Aggressive use of NSEC/NSEC3 > > draft-fujiwara-dnsop-nsec-aggressiveuse > > I

Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-27 Thread Matthew Pounsett
On 19 April 2016 at 08:13, Shane Kerr wrote: > Also, I'm not sure that it is fair to say "most zones are not signed > with NSEC". I guess most *TLD* are signed with NSEC3 either for zone > size reasons or in a (misguided IMHO) attempt to keep the zone contents > secret. But is this true for domai

Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-27 Thread Shumon Huque
On Wed, Apr 27, 2016 at 11:29 AM, Matthew Pounsett wrote: > > > On 19 April 2016 at 08:13, Shane Kerr wrote: > >> Also, I'm not sure that it is fair to say "most zones are not signed >> with NSEC". I guess most *TLD* are signed with NSEC3 either for zone >> size reasons or in a (misguided IMHO)

Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-28 Thread Shane Kerr
Matthew, At 2016-04-27 08:29:46 -0700 Matthew Pounsett wrote: > On 19 April 2016 at 08:13, Shane Kerr wrote: > > > Also, I'm not sure that it is fair to say "most zones are not signed > > with NSEC". I guess most *TLD* are signed with NSEC3 either for zone > > size reasons or in a (misguided I

Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-28 Thread Marc Groeneweg
Matthew (and Shane), >>>Also, I'm not sure that it is fair to say "most zones are not signed >>>with NSEC". I guess most *TLD* are signed with NSEC3 either for zone >>>size reasons or in a (misguided IMHO) attempt to keep the zone >>>contents secret. But is this true for domains that are not >

Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-28 Thread Edward Lewis
On 4/27/16, 11:29, "DNSOP on behalf of Matthew Pounsett" wrote: >On 19 April 2016 at 08:13, Shane Kerr wrote: > >>Also, I'm not sure that it is fair to say "most zones are not signed >>with NSEC". I guess most *TLD* are signed with NSEC3 either for zone >>size reasons or in a (misguided IMHO) at

Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-28 Thread Matthew Pounsett
On 28 April 2016 at 06:37, Edward Lewis wrote: > > Not sure if that answers the question fully. Hope it helps. > It helps, for sure. So if I understand you correctly, at the TLD level it's 4:1 in favour of NSEC3, and all of those are opt-out. I imagine that will change as the number of DS reco

Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-29 Thread Edward Lewis
On 4/28/16, 18:05, "DNSOP on behalf of Matthew Pounsett" wrote: > On 28 April 2016 at 06:37, Edward Lewis wrote: >> >> Not sure if that answers the question fully. Hope it helps. > > It helps, for sure. So if I understand you correctly, at the TLD level it's > 4:1 in favour of NSEC3, and all