On Thu, Dec 26, 2024 at 3:48 PM John R Levine <jo...@taugh.com> wrote:
> On Thu, 26 Dec 2024, Shumon Huque wrote: > > > > However, I guess for online signers, there is in fact a small > computational > > advantage in not needing to dynamically construct a signed NSEC3 record > > in referral responses for delegated zones that are unsigned and appear > > within an Opt-Out span. > > But this is a span of hashes. If you don't have the whole zone hashed, > how are you going to find the span? If you do have the whole zone hashed, > that doesn't sound like on-line signing. > D'oh! You are right - I didn't fully think through that case. I retract my comment then :) I guess in theory, an implementation could support a mixture of minimally covering NSEC3 records, and some non-minimally covering NSEC3 records to allow the construction of spans where Opt-Out could be leveraged, but I'm not sure who would actually want to do that. We are back to finding a persuasive argument for doing NSEC3 then (other than it can be done). Shumon.
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
