Wes, Viktor, On Sun, 2022-03-06 at 20:36 -0800, internet-dra...@ietf.org wrote: > Filename : draft-ietf-dnsop-nsec3-guidance-05.txt
Thank you for your continued work on this. This appears to be in excellent shape - you'd have my support in a WGLC. I love that we managed to get to "iterations count to 0 MUST" in this important document! A few nits: > Because hashing provides only moderate protection, as shown recently in academic studies of NSEC3 protected zones [GPUNSEC3][ZONEENUM]. This sentence appears to be lacking a second half. > Operators are encouraged to forget the salt entirely "forgo" perhaps? Or, easier on the eyes, "not use the salt at all"? > Note that this specification significantly decreases the requirements originally specified in Section 10.3 of [RFC5155]. Should this document say "Updates: RFC5155" ? > man-it-the-middle attacks man-in-the-middle > Thus, validating resolver operators and software implementers SHOULD set the point above which a zone is treated for certain values of NSEC3 iterations counts to the same as the point where a validating resolver begins returning SERVFAIL. Is "as insecure" missing after "treated"? Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
