Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

Tony Finch <dot@dotat.at> Tue, 18 July 2017 11:41 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44CBE131DF8 for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 04:41:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bT8G3d1uf3GG for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 04:41:44 -0700 (PDT)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A01A9131DF4 for <dnsop@ietf.org>; Tue, 18 Jul 2017 04:41:42 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:48564) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1dXQsk-000IFY-fC (Exim 4.89) (return-path <dot@dotat.at>); Tue, 18 Jul 2017 12:41:38 +0100
Date: Tue, 18 Jul 2017 12:41:38 +0100
From: Tony Finch <dot@dotat.at>
To: Francis Dupont <Francis.Dupont@fdupont.fr>
cc: Mukund Sivaraman <muks@isc.org>, dnsop@ietf.org
In-Reply-To: <201707181117.v6IBHwLn047420@givry.fdupont.fr>
Message-ID: <alpine.DEB.2.11.1707181240320.27210@grey.csi.cam.ac.uk>
References: <201707181117.v6IBHwLn047420@givry.fdupont.fr>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xfZUdkUas1C5NwvHU35c5IOYG_U>
Subject: Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 11:41:46 -0000

Francis Dupont <Francis.Dupont@fdupont.fr> wrote:

> It seems easier to remember that DNSSEC offers proofs for denial of existence.

Yes. Surely we don't want to make the DNS even more complicated just to
undemine one of the positive features of DNSSEC.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Southeast Iceland: Southeasterly 5 to 7, occasionally gale 8 in west. Moderate
becoming rough, occasionally very rough for a time in west. Rain later. Good,
occasionally poor later.