This is a discussion on Re: NSEC3 - DNS ; Roy Badami wrote: > Ben> I believe that since NSEC3 also shows the record at the > Ben> closest encloser, the same check works. > > But what about names between the query name and the closest encloser? They don't ...
Roy Badami wrote:
> Ben> I believe that since NSEC3 also shows the record at the
> Ben> closest encloser, the same check works.
>
> But what about names between the query name and the closest encloser?
They don't exist.
> Don't you need to not only prove that a wildcard doesn't exist at each
> of those names,
No, because if a wildcard existed at one of them, then that name would
exist, and so the closest encloser would be that name instead.
> but also that a delegation doesn't exist at each of
> those names? The same NSEC3 record won't generally cover the wildcard
> and the NS record.
I claim it will.
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive:
