On Thu, Feb 27, 2025 at 8:09 AM Christian Elmerot <christ...@elmerot.se> wrote:
> Thank you for the helpful review, Murray! > > > > > Why the "SHOULD" in Section 3.1? What is the impact if I don't do > > that? Why > > might I legitimately choose not to do that? "SHOULD" implies there > > are answers > > to these questions. > > > > > > I guess because epsilon functions in minimally covering NSEC records > don't > > necessarily need to be precise. However, I see no compelling reason not > to > > do so in this case, and all known implementations follow what we > > propose. So, > > I will change this to "MUST" (barring any objections from the working > > group). > > I disagree that this should be "MUST" as that would prevent an > authoritative nameserver to respond with a wider namespace than > potentially "just" the owner name and the immediate lexicographical > successor. This could for instance be desirable in response to a random > prefix attack. This with the caveat that there exist no names in the > covered namespace. Changing "SHOULD" to "MUST" would prevent an > implementer from having that option. > For normal operations it is more natural, and simpler, to use the > immediate lexicographic successor but it should not be a hard > requirement in my opinion. > > /Christian > Fair enough, I agree then that we should keep that option open for implementers. Let's leave this as a SHOULD. Shumon.
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
