On Thu, Apr 9, 2020 at 6:10 PM Benjamin Kaduk <[email protected]> wrote: > > > > Sure (the short summary is that the adversary can just trivially > enumerate > > the zone by querying the provider that employs NSEC). Will add some text. > > Oh! I was misreading this sentence -- I thought that the loss of > protection was due to mixing NSEC and NSEC3 and some sort of cross-protocol > interaction, but of course this is just the inherent property of any use of > NSEC. So maybe s/Doing so/Any use of NSEC/? >
Yup, that's correct. And your rewording makes it clearer. Will update. > Section 14.1 > > > > > > RFCs 2136, 5731 don't currently seem to be cited in a manner that > > > requires a normative reference. > > > > > Yes, ok. I will promote those references. > It seems it's my turn to misread. I see now that those are currently already normative references, and the suggested action is to demote those to informative. The reason we had made those normative, is that UPDATE and EPP are feasible key management APIs for these models, although I know of no managed DNS provider that currently offers those options. So perhaps your suggestion is fine. Shumon.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
