zone-covering NSEC ranges -- "which is it?"

[Paul Vixie <paul@vix.com>]

i asked this in an earlier message but it was lost in the haze of a larger
discussion.  here are two NSEC RRs, more or less.

#1:          @ NSEC (SOA NS ...) @

#2:          X NSEC (...) X

there are two visible differences between them: one says there's an SOA and
NS at the ownername (@), the other does not (X).   and one's owner and target
names are "@" (the zone apex) and the other's owner and target name is "X"
(not the zone apex).

those familiar with the specs consider the first one to be a way of expressing
the nonexistence of any names other than the zone apex.  in other words it
covers the whole zone, all possible names.

why?  there are two possible answers.  for my own edification i'd like to
clarify which one applies, and for others' edification i might end up asking
that the dnssec-bis docset be amended to clarify this point.

the first possible answer to "why does @-NSEC-@ cover all possible names?"
is that the target name is @, and it's a special case indicating that all
names from the owner name through the end of the zone are in the range.

the second possible answer to "why does @-NSEC-@ cover all possible names?"
is that the target name equals the owner name, indicating a null range,
which in some kind of "serial number arithmetic" kind of way "wraps around."

if we select the first possible answer, then "X-NSEC-X" does not speak for
all possible names in the same way "@-NSEC-@" does.

if we select the second possible answer, then "X-NSEC-X", for any value of
X including @ or any other, speaks for all possible names.

which is it?

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>