[dns-operations] negative dnssec replies

Florian Weimer fw at deneb.enyo.de
Sun Nov 27 15:48:47 UTC 2016

* Router Log:

> The signing of negative replies from dnssec enabled zones increase the size
> of the zone data an the complexity dns. For the ease of use and
> implementaion would it be a good idea that a dnssec enabled zone could
> signal to a querier that it intends to send unsigned nxdomain replies? This
> mechanism would have to be signed of course.

Doesn't the NSEC3 opt-out mechanism achieve pretty much something like

More information about the dns-operations mailing list