Re: rfc4035: missing text on empty-non-terminal proof

[Samuel Weiler <weiler@tislabs.com>]

> Since this particular NODATA proof is different then normal NODATA proof,
> I've written a small erratum for section 5.4, listed below, and a addendum
> to section B.3 and C.3 (respectively labeled: B.3.1 and C.3.1).

As a purely editorial matter, I've been trying to describe and fix the
deficiencies of the bis docs without actually rewriting them in place.

Being as this is the second issue with the non-existence proof
section, though, I'm wondering if something more invasive may be
needed in this case.  The other issue is documented in Section 6 of
dnssec-bis-updates-00 (you can see the discussion that led to this in
the namedroppers archives from March 9-10) -- I'd be delighted to have
specific suggestions as to how present both of these most clearly.

Here's the text:

   6.  Clarifications on Non-Existence Proofs

   RFC4035 Section 5.4 slightly underspecifies the algorithm for
   checking non-existence proofs.  In particular, the algorithm there
   might incorrectly allow the NSEC from the parent side of a zone cut
   to prove the non-existence of either other RRs at that name in the
   child zone or other names in the child zone.

   A parent-side delegation NSEC (one with the NS bit set, but no SOA
   bit set, and with a singer field that's shorter than the owner name)
   must not be used to assume non-existence of any RRs below that zone
   cut (both RRs at that ownername and at ownernames with more leading
   labels, no matter their content).

-- Sam

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>