Re: proving NAME ERROR (was: Re: [dns-operations] NXDOMAIN vs NODATA for suffixes of existing name)

At 22:44 +0200 4/18/06, Roy Arends wrote:
>The response would include
>13 NSEC3 14 to show there's a g.h.example.
>5  NSEC3 10 to show there's no g.g.h.example.
>And that is the beauty of the closest encloser. Since you've proved that
>g.h.example is the closest encloser, by showing g.g.h.example does not
>exist, you don't have to prove anything CLOSER exist.

Okay, it's not as bad as I thought.  The second NSEC3 record to me is 
a significant difference from the NSEC approach, the difference is 
caused by losing the tree structure in hashing.

I still wonder what the impact of the validator's guessing of the 
"meaning" of the CE hash will be on performance, as well as the rules 
at the cut points.  (The latter is also a problem with the NSEC, you 
need to know if you have the upper or lower NSEC in the proof and if 
it is the right one.)
Edward Lewis                                                +1-571-434-5468

Nothin' more exciting than going to the printer to watch the toner drain...

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

4/19/2006 4:48:39 PM
comp.protocols.dns.std 2986 articles. 0 followers. Post Follow

0 Replies

Similar Articles

[PageSpeed] 51