I saw this on the agenda for this afternoon. The proposed solution against zone-walking is to exclude names from an nsec chain.
Example, say "B" needs to kept private from zone-walking, so have: A.example. NSEC C.example. B.example. A 192.168.10.10 C.example. NSEC ... This is a terrible idea. This will break DNSSEC. Agressive negative caching will make sure that B won't exist, since the A NSEC C record proves it. Happy to discuss it in the WG this afternoon. Roy _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
