Re: question about dnssec-protocol-04

[Mark.Andrews@isc.org]

> draft-ietf-dnsext-dnssec-protocol-04, section 2.3 has the following 
> paragraph:
> 
>    An NSEC record (and its associated RRSIG RRset) MUST NOT be the only
>    RRsets at any particular owner name.  That is, the signing process
>    MUST NOT create (or RRSIG) RRs for owner names nodes which were not
>    the owner name of any RRset before the zone was signed.
> 
> [There is an editing nit here, too: s/MUST NOT create (or/MUST NOT create 
> NSEC (or/, I think.]
> 
> I feel sure that I have just forgotten the discussion about this, but why 
> does this restriction exist?  What harm would NSEC records of this sort 
> cause?

	A signed zone should return the same answers as a unsigned
	zone modulo DNSSEC records.
 
> It is true that I cannot think of any useful reason to do this, but 
> forbidding such NSEC records should have some real problem associated with 
> it.

	Without the rule it also means that a UPDATE client needs
	to know to delete NSEC when the last regular record is
	deleted.  This introduces race conditions between the client
	and the server which don't exist if the server is left to
	manage the creation and deletion of NSEC.
 
> -- 
> David Blacka    <davidb@verisignlabs.com> 
> Sr. Engineer    Verisign Applied Research
> 
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>