Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

Jim Reid <jim@rfc1035.com> Tue, 18 July 2017 11:44 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67320131DF7 for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 04:44:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2r7Z7UG2gA41 for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 04:44:49 -0700 (PDT)
Received: from shaun.rfc1035.com (smtp.v6.rfc1035.com [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2873B131DE7 for <dnsop@ietf.org>; Tue, 18 Jul 2017 04:44:49 -0700 (PDT)
Received: from dhcp-8e9b.meeting.ietf.org (dhcp-8e9b.meeting.ietf.org [31.133.142.155]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id 6C5FD2421527; Tue, 18 Jul 2017 11:44:47 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Jim Reid <jim@rfc1035.com>
In-Reply-To: <201707181117.v6IBHwLn047420@givry.fdupont.fr>
Date: Tue, 18 Jul 2017 12:44:46 +0100
Cc: Mukund Sivaraman <muks@isc.org>, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <6F247E60-3FBE-4BC4-8E7C-27C042AF7CC5@rfc1035.com>
References: <201707181117.v6IBHwLn047420@givry.fdupont.fr>
To: Francis Dupont <Francis.Dupont@fdupont.fr>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/heFGt4In6zzRHs8aWtKrwzFOFFY>
Subject: Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 11:44:50 -0000

> On 18 Jul 2017, at 12:17, Francis Dupont <Francis.Dupont@fdupont.fr> wrote:
> 
> It seems easier to remember that DNSSEC offers proofs for denial of existence.

Except when it doesn't. :-) RFC5155 includes opt-in.