On 25 Feb 2016, at 10:18, Ted Lemon wrote:
I'm sorry to be a sticky wicket here, but I have to ask: have you thought about what a guaranteed-correct implementation of this would look like? I think you need to actually do that analysis before we proceed with this.
Can you say more? It seems like the spec in the draft is a guaranteed-correct implementation: if you have a current validated statement that nothing exists between N1 and N2, and you later get a query for something between N1 and N2, send back NXDOMAIN directly.
As best I understand it, getting this right is not trivial, and getting it wrong would be harmful. While it clearly would help in the context of widespread adoption of DNSSEC, I'm not convinced that the security risk of the added complexity would be compensated for by an actual reduction in woe at the root.
Please say more about the "security risk". I'm missing it. --Paul Hoffman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
