> On Dec 26, 2024, at 14:05, John Levine <jo...@taugh.com> wrote: > > It's fine, but two niggles: > > It appears that Shumon Huque <shu...@gmail.com> said: >> specific benefit for online signing implementations. Hence, there >> does not appear to be a strong advantage to implementing Compact >> Denial of Existence with NSEC3. An existing implementation of > > I'd say it more clearly > > Hence, there is no advantage to NSEC3 over NSEC when using Compact Denial of > Existence. > > Someone is going to ask what about opt-out. I think the answer is that when > doing online signing it's easier to sign everything than try and find the > names whose hashes precede and follow the name you don't want to sign.
I would say online signing is way superior operating practice than off-line signing, there is no need for NSEC3 in on-line signing operations! The old mentality of DNS operators that remote servers can not trusted to modify content of zones is out-dated to say the least, if that is the case then the suspect servers should not be used. DNS community has tried to hard to overcome operational issues with technical solutions when commercial agreements are more appropriate. Olafur _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
