On Mon, Dec 23, 2024 at 10:10 AM Shumon Huque <shu...@gmail.com> wrote:
> >
> > > Protocol optimizations that permit DNS resolvers to synthesize
> > > NXDOMAIN responses, like [RFC8020] and [RFC8198], cannot be realized
> > > with zones using Compact Denial of Existence. In general, no online
> > > signing scheme (including this one) that employs minimally covering
> > > NSEC records permits RFC 8198 style NXDOMAIN synthesis.
> > > Additionally, this protocol also precludes RFC 8020 style NXDOMAIN
> > > synthesis for DNSSEC enabled responses.
> >
> > Is the use of RFC 8198 fine with traditional "covering" NSEC responses
> > from a zone which also returns compact responses of this draft for
> > different queries, if some implementation wants to do it? Is there
> > anything in the protocol that prevents mixed ("covering" as well as this
> > draft's "compact" scheme) NSEC answers from a single zone? The above
> > text says "cannot be used with zones", perhaps it can be rewritten to:
> >
>
> I think this is already addressed with the phrase "with zones using
> Compact Denial of Existence".
>
> (In theory yes, the same zone could be using a mixture of compact and
> non-minimal NSEC, but I'm not aware of anyone doing this in the same
> implementation or provider. It does happen more frequently in
> multi-provider
> scenarios where one provider uses traditional nsec/nsec3 and the other uses
> compact DOE.)
>
After staring at the text some more, I decided to clarify this section
after all, and
have changed zone to responses as you suggest. Thanks!
Here's what I just merged into the github repo:
https://github.com/shuque/id-dnssec-compact-lies/commit/429533d30826a58c78d63ba811d970d3279de86f
Shumon.
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
