see inline.
Shumon Huque wrote on 2023-08-08 12:13:
At any rate, as I've remarked before, I'm not convinced that the
optimizations offered in Compact DoE were actually necessary as an
operational matter. But I'll leave it to our colleagues at Cloudflare to
argue that case. My interest in
On Tue, Aug 8, 2023 at 10:45 AM Ben Schwartz wrote:
> Hi DNSOP,
>
> draft-ietf-dnsop-compact-denial-of-existence currently says the following
> about RFC 4470:
>
>The response for a non-existent name requires up to 2 signed NSEC
>records or up to 3 signed NSEC3 records (and for online
On Tue, Aug 8, 2023 at 11:50 AM Paul Wouters wrote:
> On Tue, 8 Aug 2023, Ben Schwartz wrote:
>
> > If this is correct, then I'm not sure the complexity of solving the ENT
> problem is worthwhile.
>
I'm not sure which "ENT" problem Ben is referring to solving here. The draft
proposes ways to
On Tue, Aug 8, 2023 at 9:13 AM Edward Lewis wrote:
> On Mon, Jul 31, 2023 at 11:58 AM Edward Lewis
> wrote:
>
> >You've probably stumbled across Cloudflare's differential behavior for
> DO=0 vs
>
> >DO=1 queries. With non-DNSSEC queries it provides a vanilla, unsigned
>
> >NXDOMAIN response.
>Compact DoE, and RFC4470 already appear to violate it for ENT responses. And
>it was (arguably) already violated by
>pre-computed NSEC3 (5155), where an empty non-terminal name (or rather the
>hash of it) does solely own an
>NSEC3 record.
NSEC3 is different. Because NSEC3 hashes the labels
On Mon, Jul 31, 2023 at 11:58 AM Edward Lewis
mailto:edward.le...@icann.org>> wrote:
>You've probably stumbled across Cloudflare's differential behavior for DO=0 vs
>DO=1 queries. With non-DNSSEC queries it provides a vanilla, unsigned
>NXDOMAIN response. With DNSSEC enabled queries, it provides
On Tue, 8 Aug 2023, Ben Schwartz wrote:
If this is correct, then I'm not sure the complexity of solving the ENT problem
is worthwhile.
At $dayjob, I had to add bogus TXT records to our zones because of ENT
issues with Amazon Route53, which Amazon knows about and has refused to
fix for years.
Hi DNSOP,
draft-ietf-dnsop-compact-denial-of-existence currently says the following about
RFC 4470:
The response for a non-existent name requires up to 2 signed NSEC
records or up to 3 signed NSEC3 records (and for online signers, the
associated cryptographic computation), to prove
On Tue, Aug 8, 2023 at 9:21 AM Edward Lewis wrote:
> >Compact DoE, and RFC4470 already appear to violate it for ENT responses.
> And it was (arguably) already violated by
>
> >pre-computed NSEC3 (5155), where an empty non-terminal name (or rather
> the hash of it) does solely own an
>
> >NSEC3
On Wed, Jul 26, 2023 at 11:05 PM Edward Lewis
wrote:
> [...]
> In some sense, this proposal is establishing a (set of) wildcard(s)
> (source[s] of synthesis) that owns just an NSEC record when it applies to
> otherwise NXDOMAIN responses. Mulling this over, it becomes apparent that
> the next
10 matches
Mail list logo
