Re: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-07.txt

[Andrew Sullivan <ajs@shinkuro.com>]

On Thu, Dec 04, 2008 at 11:49:57PM +1100, Mark Andrews wrote:

> 	And no one would know if you used algorithm 7 to do that
> 	and only served zones that contained NSEC records.  The
> 	only time the authoritative server needs to know how to
> 	return NSEC3 proofs is when the zone contains a NSEC3 and
> 	there is a appropriate NSEC3PARAM record there.
> 
> 	The validator however needs to handle both both forms or
> 	it can't validate the returned responses.

But there'd still be a formal violation, because the server wouldn't
know what to do with NSEC3, at least in some reading of the
specification.  Remember, not every use of RFCs is for practical,
engineering-type purposes.  Sometimes, it has to do with checkboxes on
a conformance chart.  I don't see any reason to make that harder.
(Also, what would you do about the case where an admin who didn't read
the manual put an NSEC3 record in such a zone anyway?  Should the
server stop using SHA-2 in that case?  Just not run?  Catch on fire?
I can think of lots of different answers, but none of them benefit
from conflating two tangentially related issues, i.e. NSEC vs NSEC3 and
the algorithms involved in each case.)

A

-- 
Andrew Sullivan
ajs@shinkuro.com
Shinkuro, Inc.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>