On Thu, Dec 26, 2024 at 2:05 PM John Levine <[email protected]> wrote:
> > Someone is going to ask what about opt-out. I think the answer is that when > doing online signing it's easier to sign everything than try and find the > names whose hashes precede and follow the name you don't want to sign. > I was originally thinking of the space and memory cost savings of not needing to maintain a full NSEC3 chain in delegation centric zones with very sparse signed children (the argument of the original Opt-Out proponents). However, I guess for online signers, there is in fact a small computational advantage in not needing to dynamically construct a signed NSEC3 record in referral responses for delegated zones that are unsigned and appear within an Opt-Out span. So, I think a case could be made that this is a valid reason to do NSEC3 with this protocol. You may be right that it is simpler just to on-the-fly sign everything rather than dealing with the conditional Opt-Out behavior, but I think it's worth documenting the tradeoff. Shumon.
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
