Hello Nick,
The closest encloser proof is explained in RFC 7129, Section 5.5.
https://tools.ietf.org/html/rfc7129#section-5.5
Best regards,
Matthijs
On 10/9/20 1:46 AM, Nick Johnson wrote:
> I'm reading RFC 5155, and I'm a bit puzzled by the requirement for
> "closest encloser" proofs to prove nonexistence of a domain. Given that
> the RFC requires generating NSEC3 records on empty non-terminals, isn't
> it sufficient to examine a single NSEC3 record to prove nonexistence?
>
> For example, if I want to prove the nonexistence of a.b.c.example, isn't
> it sufficient to validate an NSEC3 record that covers that name and is
> one level higher (eg, somehash.b.c.example)? Why do I need to prove the
> closest-encloser with a second NSEC3 record?
>
> -Nick Johnson
>
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dnsop
>
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
