Alvaro Retana via Datatracker <[email protected]> writes: > Should this document formally Update RFC5155? Besides providing "guidance on > setting NSEC3 parameters", there is also Normative language that seems similar > to what is in rfc5155, but not the same. For example: > > In §3.2 this document says: > > Validating resolvers MAY return an insecure response to their clients > when processing NSEC3 records with iterations larger than 0. Note > also that a validating resolver returning an insecure response MUST > still validate the signature over the NSEC3 record to ensure the > iteration count was not altered since record publication (see > [RFC5155] section 10.3). > > I couldn't find text in rfc5155 about how returning insecure responses is > optional, but I did find this in §10.3 that seems related to the validation > requirement: > > A resolver MAY treat a response with a higher value as insecure, > after the validator has verified that the signature over the NSEC3 > RR is correct. > > Reading further, §3.2 does say that "this specification updates [RFC5155]", > but > there's no indication in the header or anywhere else.
As discussed in other threads, the replacement version will update 5155. And yes, I agree that the returning of insecure for large values is not spelled out in a really strong way (and is one of the reasons I think the DNSOP WG thinks our document is a good update as we specify this with greater clarity). -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
