[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

question about dnssec-protocol-04

To: namedroppers@ops.ietf.org
Subject: question about dnssec-protocol-04
From: David Blacka <davidb@verisignlabs.com>
Date: Mon, 22 Dec 2003 14:45:36 -0500
Organization: Verisign, Inc.
User-agent: KMail/1.5.3

draft-ietf-dnsext-dnssec-protocol-04, section 2.3 has the following 
paragraph:

   An NSEC record (and its associated RRSIG RRset) MUST NOT be the only
   RRsets at any particular owner name.  That is, the signing process
   MUST NOT create (or RRSIG) RRs for owner names nodes which were not
   the owner name of any RRset before the zone was signed.

[There is an editing nit here, too: s/MUST NOT create (or/MUST NOT create 
NSEC (or/, I think.]

I feel sure that I have just forgotten the discussion about this, but why 
does this restriction exist?  What harm would NSEC records of this sort 
cause?

It is true that I cannot think of any useful reason to do this, but 
forbidding such NSEC records should have some real problem associated with 
it.

-- 
David Blacka    <davidb@verisignlabs.com> 
Sr. Engineer    Verisign Applied Research


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: question about dnssec-protocol-04
  - From: roy@dnss.ec
- Re: question about dnssec-protocol-04
  - From: Mark.Andrews@isc.org
- Re: question about dnssec-protocol-04
  - From: Rob Austein <sra+namedroppers@hactrn.net>

Prev by Date: WGLC for draft-ietf-dnsext-nsec-rdata-03.txt
Next by Date: Re: question about dnssec-protocol-04
Previous by thread: WGLC for draft-ietf-dnsext-nsec-rdata-03.txt
Next by thread: Re: question about dnssec-protocol-04
Index(es):
- Date
- Thread