On 07/03/2022 19.06, Wes Hardaker wrote:
The -05 version sounds clearer here than -04 ("not respond" above) or
-03. Thanks.
You should check -06 too -- I restructured it to read better (IMHO)
Right, I agree that -06 is better.
___
DNSOP mailing list
Vladimír Čunát writes:
> On 26/02/2022 00.30, Wes Hardaker wrote:
> > Validating resolvers MAY choose to not respond to NSEC3 records with
> > iterations larger than 0.
>
> The -05 version sounds clearer here than -04 ("not respond" above) or
> -03. Thanks.
You should check -06 too -- I restru
On 26/02/2022 00.30, Wes Hardaker wrote:
Validating resolvers MAY choose to not respond to NSEC3 records with
iterations larger than 0.
The -05 version sounds clearer here than -04 ("not respond" above) or
-03. Thanks.
--Vladimir
___
DNSOP mailin
Vladimír Čunát writes:
> On 09/02/2022 22.41, Wes Hardaker wrote:
>
> So I've re-arranged things a bit to hopefully address the flow better.
> Let em know if you think further improvements are warranted.
>
> I'd still probably suggest at least a minimalist change like:
> -Note that
Vladimír Čunát wrote on 2022-02-22 14:56:
On 22/02/2022 20.02, Geoff Huston wrote:
...
I believe that the cleanest and least bug-prone way to implement this
sub-case is to simply ignore any NSEC3 records with iterations over the
limit. You do not need to check any kind of signatures or an
On 22/02/2022 20.02, Geoff Huston wrote:
I’m not sure I follow that latter comment relating to "a validating resolver
returning an insecure response" - Do you mean:
a) - a DNSSEC-validation capable resolver responding to a query that had the CD
bit set?
b) - a DNSSEC-validation capable resolv
> On 22 Feb 2022, at 10:29 pm, Vladimír Čunát
> wrote:
>
> On 09/02/2022 22.41, Wes Hardaker wrote:
>> So I've re-arranged things a bit to hopefully address the flow better.
>> Let em know if you think further improvements are warranted.
>>
> I'd still probably suggest at least a minimalist cha
On 09/02/2022 22.41, Wes Hardaker wrote:
So I've re-arranged things a bit to hopefully address the flow better.
Let em know if you think further improvements are warranted.
I'd still probably suggest at least a minimalist change like:
-Note that a validating resolver MUST still validate the sig
Vladimír Čunát writes:
> Note that a validating resolver MUST still validate the signature over
> the NSEC3 record to ensure
> the iteration count was not altered since record publication (see
> {{RFC5155}} section 10.3).
>
> It might be better to clarify that this "MUST" does not r
I like the text and how it's improving.
Note that a validating resolver MUST still validate the signature over
the NSEC3 record to ensure the iteration count was not altered since
record publication (see {{RFC5155}} section 10.3).
It might be better to clarify that this "MUST" does not really
10 matches
Mail list logo
