On Wednesday, March 11, 2015 09:52:55 AM Nicholas Weaver wrote: > Why not just do something simpler? The only thing NSEC5 really differs in a > way that counts is not in the NSEC record but really just the DNSKEY > handling, having a separate key used for signing the NSEC* records. > > So why define NSEC5 at all. > > Instead, just specify a separate flag for the DNSKEY record, "NSEC-only", > sign the NSEC3 dynamically, bada bing, bada boom, done!
This would not work. Anyone holding the NSEC-only private key could fake denying answers for the zone. So if your zone is slaved by a less-trusted party, they could still manipulate your zone. This is not possible with NSEC5. Jan _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
