5. Next Record type
There are currently two types of next records that are provide
authenticated denial of existence of DNS data in a zone.
I have a problem with this presentation.
There are two mechanishm to provide proof of non-existance, each has a
RR type associated with it.
The text of section 5 as written places the RRtype as the main focus
rather than the technique used.
One of the issues I have been running into is that people assume that
NSEC3 is a replacement of NSEC because of the naming of the records
i.e. NSEC3 is 3'rd version of NSEC ;
For this reason I would advoacte that this section be retuned to talk
about the mechanishms first then cover the on the wire details and
records.
o The NSEC [4] record builds a linked list of sorted RRlabels with
their record types in the zone.
o The NSEC3 [24] record builds a similar linked list, but uses
hashes instead of the RRLabels.
My draft rewrite of 5.
There are two meachanisms to provide authenticated proof of
exsitance/non-existance in DNSSEC. A clear text one and a obfuscated
one. Both mechanishms for each name include a list of all the RRtypes
present at the name. Both mechanishms only include the names the zone is
authoratitve, i.e. glue names present in the zone are omiited.
* The clear text one is implemented via a sorted link list of names in
the zone.
* The obufscated first hashes the names via one-way hash
function and then sorts the resulting strings.
The clear text version has its one RRtype for negative answer, Clear
text one uses NSEC record and the obfuscated one used NSEC3.
If you agree with this change in focus is benefital I will be happy to
help rewrite the remainder of the section.
Olafur
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
