[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question about dnssec-protocol-04
On Monday 22 December 2003 3:41 pm, Mark.Andrews@isc.org wrote:
> A signed zone should return the same answers as a unsigned
> zone modulo DNSSEC records.
Where does this requirement come from?
> > It is true that I cannot think of any useful reason to do this, but
> > forbidding such NSEC records should have some real problem associated
> > with it.
>
> Without the rule it also means that a UPDATE client needs
> to know to delete NSEC when the last regular record is
> deleted. This introduces race conditions between the client
> and the server which don't exist if the server is left to
> manage the creation and deletion of NSEC.
I don't see how allowing solo NSEC records is incompatible with the server
manging the NSEC records. That seems like a policy issue to me. I will
agree that UPDATE clients shouldn't deal with NSEC records directly.
I'll be clear here: I am not bothered by this restriction per se. While I
haven't seen the light as to why solo NSEC records are bad, I also think that
they are useless. What bothers me is that a) if they are harmless, then they
shouldn't be forbidden, and b) if they aren't, then the "why" of the rule
needs to be in the document as well. If I'm confused by this now, then
someone two years from now will probably be confused by this as well, and
telling them to search the namedroppers archives for a explanation is
not...good.
--
David Blacka <davidb@verisignlabs.com>
Sr. Engineer Verisign Applied Research
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>