Re: Q-10: Reaction to "Silly" NXT's

["Olaf M. Kolkman" <olaf@ripe.net>]

A comment/clarification with respect to this issue and
draft-ietf-dnsext-dnssec-protocol-02.txt

In the initial mail Ed wrote:
 > Any comments on this proposal?  (It's been posted a few times.) 
 > Sooner or later this will be cast into MUST/SHOULD language and 
 > submitted to the dnssec-editors, based on feedback.


The "Silly State" discussion died without text being submitted to the
editors.

The draft now contains in section 5.4:

   Since a verified NSEC RR proves the existance of both itself and
   its corresponding RRSIG RR, a verifier MUST ignore the settings of
   the NSEC and RRSIG bits in an NSEC RR.


In other words it clarifies the RFC2535 approach and does not add
additional checks.

If the Working Group still want to pursue with 'Silly State' then
those interested should come up with a "diff" against
dnssec-protocol-2. That text, which should have a motivation, will
then be discussed on its merits.

We want to try to get a final version of the protocol draft before the
cut-off in about 3 weeks. To allow some time for discussion a text
would need to be submitted within, say, a week.


--Olaf Kolkman
  DNSEXT Co-Chair

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>