On 3/5/23 23:17, Geoff Huston wrote:
1.) Maybe it's worth pointing out that zones using compact denial SHOULD
(MUST?) use NSEC, not NSEC3.
Could you please explain your thinking here? In the same way that the ‘compact'
NSEC record specifies a minimal span of non-existence across the sorted
namespace, then why can’t a compact NSEC3 record define a minimal span in the
sorted space of hashed names? I must be missing something here.
No, you're right, it surely can. However, the draft says "NSEC" everywhere and
makes no mention of NSEC3. I tried to make the point that if this is intentional, it's
worth pointing out that intention.
I suspect it is intentional, because there seems little value in jumping
through the NSEC3 extra hoops like hashing and dealing with NSEC3PARAM when you
don't get any of the benefit NSEC3 was designed for. (Compact NSEC answers
prevent zone enumeration just as well, if not better.)
I'm not sure if there are use cases where one would want compact DoE together
with NSEC3 opt-out. It doesn't seem to me like that would be a good idea: after
all, you're online signing a compact DoE, so what care about opt-out? -- If
there is no such use case, NSEC should suffice.
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
