Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

[Olafur Gudmundsson <ogud@ogud.com>]

>
> 5.  Next Record type
>
>     There are currently two types of next records that are provide
>     authenticated denial of existence of DNS data in a zone.

I have a problem with this presentation.
There are two mechanishm to provide proof of non-existance, each has a
RR type associated with it.
The text of section 5 as written places the RRtype as the main focus 
rather than the technique used.
One of the issues I have been running into is that people assume that
NSEC3 is a replacement of NSEC because of the naming of the records
i.e. NSEC3 is 3'rd version of NSEC ;

For this reason I would advoacte that this section be retuned to talk
about the mechanishms first then cover the on the wire details and
records.

>
>     o  The NSEC [4] record builds a linked list of sorted RRlabels with
>        their record types in the zone.
>
>     o  The NSEC3 [24] record builds a similar linked list, but uses
>        hashes instead of the RRLabels.
>

My draft rewrite of 5.

There are two meachanisms to provide authenticated proof of 
exsitance/non-existance in DNSSEC. A clear text one and a obfuscated 
one.  Both mechanishms for each name include a list of all the RRtypes 
present at the name. Both mechanishms only include the names the zone is 
authoratitve, i.e. glue names present in the zone are omiited.

	* The clear text one is implemented via a sorted link list of names in 
the zone.
         * The obufscated first hashes the names via one-way hash 
function and then sorts the resulting strings.

The clear text version has its one RRtype for negative answer, Clear 
text one uses NSEC record and the obfuscated one used NSEC3.

If you agree with this change in focus is benefital I will be happy to 
help rewrite the remainder of the section.


	Olafur