On Sep 30, 2022, at 1:59 PM, Catherine Meadows via Datatracker <nore...@ietf.org> wrote: > I found one thing that could use improving: > > The descriptions given in the additional documents of interest section all > seem > to be quotations from the documents described. In most cases this worked > well, > but I found the description of RFC4470 a little puzzling. It says that the > RFC "describes how to construct DNSSEC NSEC resource records that cover a > smaller range of names than called for by [RFC4034]". > > All the other descriptions mentioned have to do with some security-relevant > topic, but it is hard to see what the security relevance of this is without > more information. In this case, it might be helpful to include the next > sentence, which is > “By generating and signing these records on demand, authoritative name servers > can effectively stop the disclosure of zone contents otherwise made possible > by walking the chain of NSEC records in assigned zone.” > > This is still a little opaque, but then at least the reader should understand > that the reason this document is relevant is that it prevents an attacker from > learning all the names in a zone. >
Thanks, this is a good catch. Fixed in the -04. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
