Vladimír Čunát wrote on 2022-02-22 14:56:
On 22/02/2022 20.02, Geoff Huston wrote:
...
I believe that the cleanest and least bug-prone way to implement this
sub-case is to simply ignore any NSEC3 records with iterations over the
limit. You do not need to check any kind of signatures or any further
properties, as it's just trading one SERVFAIL for another SERVFAIL. ...
I hope I've stated my argument clearly now. Thanks for bearing with me.
+1.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
