Vladimír Čunát <vladimir.cunat+i...@nic.cz> writes:
> Note that a validating resolver MUST still validate the signature over
> the NSEC3 record to ensure
> the iteration count was not altered since record publication (see
> {{RFC5155}} section 10.3).
>
> It might be better to clarify that this "MUST" does not really apply to the
> SERVFAIL case. (The text
> around has changed recently.)
>
> I think this SERVFAIL will generally be best implemented by simply ignoring
> any NSEC3 above the
> corresponding limit. Maybe I'd even standardize the case that way, but I
> don't care really. It's an
> advantage unstated in the draft that this is very easy to do, leaving no room
> for bugs (e.g.
> unintentional downgrade opportunities).
So I've re-arranged things a bit to hopefully address the flow better.
Let em know if you think further improvements are warranted.
--
Wes Hardaker
USC/ISI
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
