On 21/10/2021 13.22, Peter van Dijk wrote:
Editorial nit, already hinted at above: the text currently has "Validating resolvers MAY return SERVFAIL when processing NSEC3 records with iterations larger than 500." - I suggest changing this to "validating resolvers MAY ignore NSEC3 records with iterations larger than 500". That way, zones in the middle of a transition from 1000 to 0 iterations do not get punished. Zones at 1000, not in a transition, will still get SERVFAIL by virtue of the NSEC3 proof missing (because it is ignored).
I'm fine with either. Ignoring such NSEC3 records seems to be clearly the easiest way of achieving "MAY return SERVFAIL". On the other hand, the downgrading can turn out relatively complex and (security-)error-prone.
--Vladimir | knot-resolver.cz _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
