On 29 Feb 2016, at 8:13, Warren Kumari wrote:
I *think* that the document / proposal implicitly handles this case
already.
Please make the "if the root zone isn't signed with NSEC then fall back"
explicit. Implicit to you is confusing to others.
If the root (of whatever tree / name resolution system you have) is
not
DNSSEC signed, you do not get back valid NSEC records. If you do not
get
back valid NSEC records, there is no work to do.
It's more than that. It is "and you have to go back to doing 4035".
I guess I could sprinkle "DNS" all over:
"The scope of this document is limited to the special case of
recursive
DNSSEC validating resolvers querying the root zone.", e.g
"The scope of this document is limited to the special case of
recursive
DNSSEC validating resolvers querying the IANA administered DNS root
zone."
Please no. (Ed might disagree with me on this.) I think every document
that talks about the DNS in the IETF is about the IANA-administered DNS
except where loudly noted.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
