In your previous mail you wrote: > There are still many popular unsigned zones, many of which don't look > like they will be signed soon due to operational and other reasons. > > Will you give some thought and reply with your opinion on NSEC/NSEC3 for > unsigned zones requiring the DNS COOKIE option in transmission, that can > be used with draft-ietf-dnsop-nsec-aggressiveuse?
=> I can't parse your message: - unsigned zones have no zone keys - DNS cookie was designed to give a return routability proof for the client, not the server - there is no NSEC/NSEC3 in an unsigned zone Perhaps you mean to return a synthesized NSEC/NSEC3 and the DNS COOKIE is as usual required to avoid amplification DoS. But what will be the signing key (including on the client side) and what to put in the NSEC/NSEC3? Perhaps this applies only to authoritative servers of the (unsigned) zone? It seems easier to remember that DNSSEC offers proofs for denial of existence. Regards [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
