[RSSAC Caucus] NSEC clarification in section 5.3 of RSSAC047
Wessels, Duane
dwessels at verisign.com
Thu Nov 18 21:01:16 UTC 2021
During yesterday’s work party call for RSSAC047v2, we talked about an ambiguity in section 5.3 related to an NSEC record “covering the query name”. I’d like to propose the change below and get opinions from DNSSEC experts:
OLD
• If the DS RRset for the query name does not exist in the zone:
• ...
• The Authority section contains a signed NSEC RRset covering the query name.
NEW
• If the DS RRset for the query name does not exist in the zone:
• ...
• The Authority section contains a signed NSEC RRset with an owner name matching the QNAME and with DS omitted from the Type Bit Maps field.
The original text can be found on page 19 of https://www.icann.org/en/system/files/files/rssac-047-12mar20-en.pdf.
DW
More information about the rssac-caucus
mailing list