Re: [dnsext] nsec3 and wildcards
"George Barwood" <george.barwood@blueyonder.co.uk> Mon, 24 January 2011 15:04 UTC
Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 793A83A68EA for <dnsext@core3.amsl.com>; Mon, 24 Jan 2011 07:04:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.956
X-Spam-Level:
X-Spam-Status: No, score=0.956 tagged_above=-999 required=5 tests=[AWL=-0.239, BAYES_00=-2.599, HELO_EQ_BLUEYON=1.4, J_CHICKENPOX_41=0.6, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phFbRCE8eboM for <dnsext@core3.amsl.com>; Mon, 24 Jan 2011 07:04:26 -0800 (PST)
Received: from smtp-out5.blueyonder.co.uk (smtp-out5.blueyonder.co.uk [195.188.213.8]) by core3.amsl.com (Postfix) with ESMTP id 778CD3A68D5 for <dnsext@ietf.org>; Mon, 24 Jan 2011 07:04:26 -0800 (PST)
Received: from [172.23.170.147] (helo=anti-virus03-10) by smtp-out5.blueyonder.co.uk with smtp (Exim 4.52) id 1PhO0m-00069l-BT; Mon, 24 Jan 2011 15:07:20 +0000
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out2.blueyonder.co.uk with smtp (Exim 4.72) (envelope-from <george.barwood@blueyonder.co.uk>) id 1PhO0M-00070Y-J9; Mon, 24 Jan 2011 15:06:54 +0000
Message-ID: <5EB68CBF1ECE4B0E823C58C1EA540B2C@local>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Miek Gieben <miek.gieben@sidn.nl>, dnsext List <dnsext@ietf.org>
References: <20110124140933.GA12071@login.sidn.nl>
Date: Mon, 24 Jan 2011 15:07:42 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
Subject: Re: [dnsext] nsec3 and wildcards
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jan 2011 15:04:27 -0000
----- Original Message ----- From: "Miek Gieben" <miek.gieben@sidn.nl> To: "dnsext List" <dnsext@ietf.org> Sent: Monday, January 24, 2011 2:09 PM Subject: [dnsext] nsec3 and wildcards > Hello, > > I was wondering if there was a way to limit the amount of nsec3s that > are returned for name-error responses. Right now, one of the nsec3s is there > to signal that there is no wildcard present. > > Would it be possible to use the flags field (in the remaining nsec3s) to > signal 'oh, and btw, there also wasn't a wildcard'? > > Somehow this shouldn't work, but I cannot see why... Well the question would be "what wildcard"? Remember there are a (practically) unlimited number of queries, which the server answers using a relatively small number of signed records. The design choice was to minimise the number of RRsets that have to be signed. It might have been possible to have a different design with a larger number of things to be signed but smaller responses ( with less signatures ). Regards, George > Kind regards, > > -- > Miek > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] nsec3 and wildcards Miek Gieben
- Re: [dnsext] nsec3 and wildcards Edward Lewis
- Re: [dnsext] nsec3 and wildcards Miek Gieben
- Re: [dnsext] nsec3 and wildcards Edward Lewis
- Re: [dnsext] nsec3 and wildcards Miek Gieben
- Re: [dnsext] nsec3 and wildcards George Barwood