On Mon, Feb 29, 2016 at 11:27 AM Paul Hoffman <[email protected]> wrote:
> On 29 Feb 2016, at 8:13, Warren Kumari wrote: > > > I *think* that the document / proposal implicitly handles this case > > already. > > Please make the "if the root zone isn't signed with NSEC then fall back" > explicit. Implicit to you is confusing to others. > > > > If the root (of whatever tree / name resolution system you have) is > > not > > DNSSEC signed, you do not get back valid NSEC records. If you do not > > get > > back valid NSEC records, there is no work to do. > > It's more than that. It is "and you have to go back to doing 4035". > "If the root zone is no longer DNSSEC signed with NSEC records then this document no longer applies. Resolvers MUST continue to work in such an environment." Not sure where I can add the "do 4035" wording - if the root is no longer DNSSEC signed, 4035 doesn't apply at all. I think that the above text handles things, but I may be missing something... > > > I guess I could sprinkle "DNS" all over: > > "The scope of this document is limited to the special case of > > recursive > > DNSSEC validating resolvers querying the root zone.", e.g > > "The scope of this document is limited to the special case of > > recursive > > DNSSEC validating resolvers querying the IANA administered DNS root > > zone." > > Please no. (Ed might disagree with me on this.) I think every document > that talks about the DNS in the IETF is about the IANA-administered DNS > except where loudly noted. > I added "global DNS root zone." initially, but I've just removed global (in the editor copy / github version - I'm try to incorporate people's comments as I get them, so that folk can follow along at home and make sure that I'm accurately capturing what they are requesting. Current version is (hopefully always!) at: https://github.com/wkumari/draft-wkumari-dnsop-cheese-shop/ ) > > --Paul Hoffman >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
