Re: question about dnssec-protocol-04

[roy@dnss.ec]

On Mon, 22 Dec 2003, David Blacka wrote:

> draft-ietf-dnsext-dnssec-protocol-04, section 2.3 has the following
> paragraph:
>
>    An NSEC record (and its associated RRSIG RRset) MUST NOT be the only
>    RRsets at any particular owner name.  That is, the signing process
>    MUST NOT create (or RRSIG) RRs for owner names nodes which were not
>    the owner name of any RRset before the zone was signed.
>
> [There is an editing nit here, too: s/MUST NOT create (or/MUST NOT create
> NSEC (or/, I think.]
>
> I feel sure that I have just forgotten the discussion about this, but why
> does this restriction exist?  What harm would NSEC records of this sort
> cause?

The current thinking is that empty non-terminals in the non-dnssec realm
become non-empty non-terminals when one starts to associate (dnssec)
records with them. That introduces different meaning from different
perspectives (secure and non-secure) over a single dataset. I'm not happy
with the difference. I don't know the impact of that difference, though
its likely to be small, even benign (but it _is_ a difference).

I'd rather not allow it so we don't have to deal with weird cornercases in
the future.

> It is true that I cannot think of any useful reason to do this, but
> forbidding such NSEC records should have some real problem associated with
> it.

Allowing such NSEC records should have some useful reason associated with
it, is the way I think.

Roy.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>