[DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

Mukund Sivaraman <muks@isc.org> Tue, 18 July 2017 09:47 UTC

Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6BE4A131DD1 for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 02:47:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.265
X-Spam-Status: No, score=0.265 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SORBS_WEB=1.5, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Ky4ff3JLMGfu for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 02:47:00 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com []) by ietfa.amsl.com (Postfix) with ESMTP id 644DC131A93 for <dnsop@ietf.org>; Tue, 18 Jul 2017 02:47:00 -0700 (PDT)
Received: from jurassic (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 39B8856A04AF; Tue, 18 Jul 2017 09:46:57 +0000 (GMT)
Date: Tue, 18 Jul 2017 15:16:54 +0530
From: Mukund Sivaraman <muks@isc.org>
To: dnsop@ietf.org
Message-ID: <20170718094654.GA31988@jurassic>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.8.3 (2017-05-23)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6vYVFaQDvAJ8-0jsmRbwcdcz1h0>
Subject: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 09:47:01 -0000

Hi all

There are still many popular unsigned zones, many of which don't look
like they will be signed soon due to operational and other reasons.

Will you give some thought and reply with your opinion on NSEC/NSEC3 for
unsigned zones requiring the DNS COOKIE option in transmission, that can
be used with draft-ietf-dnsop-nsec-aggressiveuse?