Seems to me that this discussion consists of endless demands for further =
particulars followed by the complaint that the answers to those =
particulars is too long.

NSEC3 is not at all complex by crypto standards.=20

> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org=20
> [mailtowner-namedroppers@ops.ietf.org] On Behalf Of bert hubert
> Sent: Monday, December 04, 2006 4:38 PM
> To: David Blacka-CR
> Cc: Mike StJohns; Paul Vixie; namedroppers@ops.ietf.org
> Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
>=20
> On Mon, Dec 04, 2006 at 04:20:50PM -0500, David Blacka wrote:
> > I feel compelled to point out that NSEC3 isn't that complicated to=20
> > actually *do*. If it is complex, it is complex to analyze.=20

> That is,=20
> > it can be hard to convince yourself that it works without a bit of=20
> > mental stretching.

>=20
> It has a 51 page draft, and it details only *non*-existence.
>=20
> I am referring to NSEC3 non-existence proofs. Perhaps I=20
> missed something, but messages like:
> =20
> "In practice, then, we must show an NSEC3 record that=20
> encloses the hash of x.C, one that encloses the hash of *.C,=20
> and any RR owned by C (which could be an NSEC3, in which=20
> case it would be owned by the hash of C). A resolver =20
> verifying this proof would have to try longer and longer=20
> closest enclosers to determine which was being demonstrated=20
> as C, if an NSEC3 is presented.
> If any other RR was used, then C would be the owner. Once C=20
> has been determined, the resolver can easily check x.C and=20
> *.C against the proof."
>=20
> http://www.ops.ietf.org/lists/namedr...roppers.2005/m
> sg00468.html
>=20
> .. look rather like I need to solve for a system of=20
> constraints within my software.
>=20
> But perhaps this applied to a previous draft, of perhaps I am=20
> dense (most likely). The mind boggles however at the failure=20
> modes implied by the wording quoted above.
>=20
> Bert
>=20
> --=20
> http://www.PowerDNS.com Open source, database driven DNS=20
> Software=20
> http://netherlabs.nl Open and Closed source services
>=20
> --
> to unsubscribe send a message to=20
> namedroppers-request@ops.ietf.org with the word 'unsubscribe'=20
> in a single line as the message text body.
> archive:
>=20
>=20


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: