On Thu, 26 Dec 2024, Shumon Huque wrote:
On Thu, Dec 26, 2024 at 2:05 PM John Levine <jo...@taugh.com> wrote:
Someone is going to ask what about opt-out. I think the answer is that when
doing online signing it's easier to sign everything than try and find the
names whose hashes precede and follow the name you don't want to sign.
I was originally thinking of the space and memory cost savings of not
needing to maintain a full NSEC3 chain in delegation centric zones with
very sparse signed children (the argument of the original Opt-Out
proponents).
However, I guess for online signers, there is in fact a small computational
advantage in not needing to dynamically construct a signed NSEC3 record
in referral responses for delegated zones that are unsigned and appear
within an Opt-Out span.
But this is a span of hashes. If you don't have the whole zone hashed,
how are you going to find the span? If you do have the whole zone hashed,
that doesn't sound like on-line signing.
R's,
John
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
