I like the text and how it's improving.
Note that a validating resolver MUST still validate the signature over
the NSEC3 record to ensure the iteration count was not altered since
record publication (see {{RFC5155}} section 10.3).
It might be better to clarify that this "MUST" does not really apply to
the SERVFAIL case. (The text around has changed recently.)
I think this SERVFAIL will generally be best implemented by simply
ignoring any NSEC3 above the corresponding limit. Maybe I'd even
standardize the case that way, but I don't care really. It's an
advantage unstated in the draft that this is very easy to do, leaving no
room for bugs (e.g. unintentional downgrade opportunities).
--Vladimir
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
