On 20.7.2017 17:00, Stephane Bortzmeyer wrote: > On Tue, Jul 18, 2017 at 06:20:56PM +0530, > Mukund Sivaraman <[email protected]> wrote > a message of 27 lines which said: > >> It is to put draft-ietf-dnsop-nsec-aggressiveuse to use with unsigned >> zones. > > That's quite funny. During the development of RFC 8020 > (draft-ietf-dnsop-nxdomain-cut), which addresses the same concern as > draft-ietf-dnsop-nsec-aggressiveuse, many people said that the feature > was dangerous, and we should mandate the use of DNSSEC. In the end, it > is not mandatory (see sections 2, 3rd para, and section 7 of RFC > 8020).
It is worth noting that implementation in Unbound enables this only for DNSSEC-signed zones to avoid problems with broken CDNs. In other words, DNSSEC is used as indicator "we can do DNS properly". That sounds reasonable to me. Petr Špaček @ CZ.NIC > draft-ietf-dnsop-nsec-aggressiveuse is more aggressive (because it can > now synthetizes answers) so it seems to me the same reasons should > apply? _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
