On Sep 30, 2022, at 1:59 PM, Catherine Meadows via Datatracker <noreply@xxxxxxxx> wrote: > I found one thing that could use improving: > > The descriptions given in the additional documents of interest section all seem > to be quotations from the documents described. In most cases this worked well, > but I found the description of RFC4470 a little puzzling. It says that the > RFC "describes how to construct DNSSEC NSEC resource records that cover a > smaller range of names than called for by [RFC4034]". > > All the other descriptions mentioned have to do with some security-relevant > topic, but it is hard to see what the security relevance of this is without > more information. In this case, it might be helpful to include the next > sentence, which is > “By generating and signing these records on demand, authoritative name servers > can effectively stop the disclosure of zone contents otherwise made possible > by walking the chain of NSEC records in assigned zone.” > > This is still a little opaque, but then at least the reader should understand > that the reason this document is relevant is that it prevents an attacker from > learning all the names in a zone. > Thanks, this is a good catch. Fixed in the -04. --Paul Hoffman
<<attachment: smime.p7s>>
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
