On Thu, Oct 6, 2016 at 12:32 PM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > On Thu, Oct 06, 2016 at 02:53:38AM -0400, > Tim Wicinski <tjw.i...@gmail.com> wrote > a message of 17 lines which said: > >> Just a reminder that the WGLC for >> draft-ietf-dnsop-nsec-aggressiveuse will end later today (barring >> any stuck issues). The authors appear to have addressed all open >> issues > > The way I understand it, in -03, there is no more *positive* answers > (NOERROR synthetized from a wildcard in the cache), only negative ones > (NXDOMAIN). Am I correct? (If so, I agree with the change.)
Yes, you *were* correct -- however, since then the WG has demanded^w requested that we re-introduce the positive answer text, and so I have just committed that to Github. I have not yet, however, incorporated your original text fixup, I'll do that now... W > > If this is true, then I would suggest some work on rewriting section 7 > new text for updating RFC 4035. True, the cache needs to look at > wildcards to see if it can synthetize NXDOMAINs or not but the way it > is written, it is confusing, since a wildcard would *prevent* > synthesis. May be: > > Once the records are validated, DNSSEC enabled validating > resolvers MAY use NSEC/NSEC3 resource records > to generate negative responses until their effective TTLs > or signatures for those records expire. (This requires to also > check there is no wildcard applicable for the QNAME.) > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
