On Thu, Dec 26, 2024 at 2:05 PM John Levine <[email protected]> wrote:

>
> Someone is going to ask what about opt-out. I think the answer is that when
> doing online signing it's easier to sign everything than try and find the
> names whose hashes precede and follow the name you don't want to sign.
>

I was originally thinking of the space and memory cost savings of not
needing to maintain a full NSEC3 chain in delegation centric zones with
very sparse signed children (the argument of the original Opt-Out
proponents).

However, I guess for online signers, there is in fact a small computational
advantage in not needing to dynamically construct a signed NSEC3 record
in referral responses for delegated zones that are unsigned and appear
within
an Opt-Out span. So, I think a case could be made that this is a valid
reason
to do NSEC3 with this protocol.

You may be right that it is simpler just to on-the-fly sign everything
rather
than dealing with the conditional Opt-Out behavior, but I think it's worth
documenting the tradeoff.

Shumon.
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to