John, At 2016-11-27 15:18:18 -0000 "John Levine" <[email protected]> wrote:
> >What are the consequences of the authoritiative server returning > >synthesized unsigned NSEC3 RRs upon being signalled by the resolver > >using an EDNS option? > > A message to the world that there is no need to sign your zones, > because we will solve your problems by magic. Please, let's not > go there. Well, to be fair, such a bloom-filter based approach helps not only people who have unsigned zones but also zones using NSEC3 opt-out and people using minimally-covering NSEC records (RFC 4470) - which I think CloudFlare is using some variant of. Perhaps the bloom-filter idea is something that should be explored after all (although I admit I don't see the relation to the unsigned NSEC3 approach)? Cheers, -- Shane
pgpu9ZXXnV1HN.pgp
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
