On Sat, Oct 24, 2015 at 3:17 PM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote:
> On Thu, Oct 15, 2015 at 01:53:51PM -0400, > Warren Kumari <war...@kumari.net> wrote > a message of 33 lines which said: > > > draft-wkumari-dnsop-cheese-shop-00 - "Believing NSEC records in the > > DNS root" - > https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/ > > > > Basically this is a simplification of Kazunori Fujiwara's > > I-D.fujiwara-dnsop-nsec-aggressiveuse, > > For me, it has the same problem as fujiwara-dnsop-nsec-aggressiveuse: > it is a DNSSEC-specific solution, while we already have a generic > solution, described in section 3 of vixie-dnsext-resimprove (mentioned > by Shumon Huque in > <http://mailarchive.ietf.org/arch/msg/dnsop/Q3FpcQONPy2SApucDDUYXiXnVJc>) > > It looks to me like they address two separate cases: vixie-dnsext-resimprove addresses the case where a single name 'b.example' and everything below it do not exist, found by a query for 'b.example'. That's as much as we can determine without DNSSEC. And it breaks if a DNS server returns NXDOMAIN for ENT's. fujiwara-dnsop-nsec-aggressiveuse addresses the case where 'a.example' exists, but the range 'bxxxx.example' thru 'gyyyy.example' do not exist, found by a single query for anything in the range. But it only works with DNSSEC signed zones. -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
