On Thu, 26 Dec 2024, Shumon Huque wrote:
On Thu, Dec 26, 2024 at 3:48 PM John R Levine <jo...@taugh.com> wrote:
On Thu, 26 Dec 2024, Shumon Huque wrote:
However, I guess for online signers, there is in fact a small
computational
advantage in not needing to dynamically construct a signed NSEC3 record
in referral responses for delegated zones that are unsigned and appear
within an Opt-Out span.
But this is a span of hashes. If you don't have the whole zone hashed,
how are you going to find the span? If you do have the whole zone hashed,
that doesn't sound like on-line signing.
D'oh! You are right - I didn't fully think through that case. I retract my
comment then :)
That's OK, I had come up with a complicated example where you want to sign
all the names except the IDNs so you precompute an opt-out RRSIG covering
xn-- to xn-\. and then, the exact same D'oh!
R's,
John
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
