Re: NSEC-13 conclusion

[roy@nominet.org.uk]

Edward Lewis wrote on 12/12/2007 05:04:16 AM:

> At 10:12 +1100 12/12/07, Mark Andrews wrote:
> 
> >You can still want to assert the non existance of a delegation.
> 
> If you want to do that, just put an TXT record there saying "Na na 
> nana nah" and sign it.  (DNSSEC isn't about asserting anything, it's 
> about being able to verify something.)

We have considered that. That would require either an additional query for 
that text record, or that text record, including its signature present in 
every (nsec3) referral. 
Since we need to signal a binary state (a single bit), we thought it is 
efficient to signal that binary state in the NSEC3 record. This would save 
the additional query, or save space (of that text record and the 
signature) in a referral where the cost of packet real estate is already 
significant. Especially when it is for a single bit.

This is the rationale for the 'how' though, not the 'why'.

The rationale for the 'why is it optional' is that anti-enumeration and 
opt-out are two different concepts that is signalled in one record (the 
nsec3 record). The requirement for anti-enumeration does not imply a 
requirement for opt-out, hence it is optional.

Roy

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>