On Thu, Oct 06, 2016 at 02:53:38AM -0400, Tim Wicinski <tjw.i...@gmail.com> wrote a message of 17 lines which said:
> Just a reminder that the WGLC for > draft-ietf-dnsop-nsec-aggressiveuse will end later today (barring > any stuck issues). The authors appear to have addressed all open > issues The way I understand it, in -03, there is no more *positive* answers (NOERROR synthetized from a wildcard in the cache), only negative ones (NXDOMAIN). Am I correct? (If so, I agree with the change.) If this is true, then I would suggest some work on rewriting section 7 new text for updating RFC 4035. True, the cache needs to look at wildcards to see if it can synthetize NXDOMAINs or not but the way it is written, it is confusing, since a wildcard would *prevent* synthesis. May be: Once the records are validated, DNSSEC enabled validating resolvers MAY use NSEC/NSEC3 resource records to generate negative responses until their effective TTLs or signatures for those records expire. (This requires to also check there is no wildcard applicable for the QNAME.) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop