>Compact DoE, and RFC4470 already appear to violate it for ENT responses. And >it was (arguably) already violated by >pre-computed NSEC3 (5155), where an empty non-terminal name (or rather the >hash of it) does solely own an >NSEC3 record.
NSEC3 is different. Because NSEC3 hashes the labels into a flat space, it hides the in-zone structure, which is something a multi-label deep zone [rather uncommon] would need. The impact is that empty non-terminals must by represented in the NSEC3 chain to adequately prove a name does not have records or subordinates (NXDOMAIN). Due to NSEC resource record exposing the full name involved, the resolver can infer where empty, non-terminal names exist in the zone. This is the reason behind the notion that at most two NSEC resource record sets are needed to answer negatively, whereas up to three NSEC3 resource record sets may be needed.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
