On Thu, 20 Nov 2025, Peter Thomassen via Datatracker wrote:
Subject: Call for adoption: draft-arends-dnsop-delext-00 (Ends 2025-12-04)
This message starts a 2-week Call for Adoption for this document.
I support adoption. Some questions I have:
Bit 14 is the Delegation Extension (DE) flag. It indicates to a
validator that a referral MUST contain an NSEC or NSEC3 record to prove
presence or absence of types for the delegated name.
Is it really meant that an NSEC(3) record must be returned along with
the actual present new RRtype ? I assume this just needs to be rephrased
better. Likely what is meant is that NSEC(3) records for the range(s) of
new parental records needs to be included along with any actual records.
(this might cause a huge amplification attack by malicious parents btw)
Note that this also limits the use of these records to DNSSEC signed
parents. I thought DELEG wanted to work also without DNSSEC in the
parent?
Paul
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
