<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org" target="_blank">ietf-dane@dukhovni.org</a>>于2018年1月17日周三 下午2:42写道:<br></div></div><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
> On Jan 17, 2018, at 1:04 AM, T.Suzuki <<a href="mailto:tss@reflection.co.jp" target="_blank">tss@reflection.co.jp</a>> wrote:<br>
><br>
> I can not understand. What is "provably" ? Where should I read in RFC.<br>
> <foobar>.gov.example is the name in the example zone.<br>
> And there is the ex.gov.example zone bellow example zone.<br>
<br>
The short answer is: DO NOT USE THE NSEC3 OPT-OUT BIT.<br>
<br>
A slightly longer answer is:<br>
<br>
With the OPT-OUT bit set in the NSEC3PARAM record, insecure<br>
delegations and associated empty non-terminals are excluded<br>
from the NSEC3 chain. Insecure delegations (NS without DS)<br>
are not protected by DNSSEC signatures when the OPT-OUT bit<br>
is used.<br></blockquote><div><br></div></div></div><div dir="ltr"><div class="gmail_quote"><div>Maybe these 4 scenario:<br></div><div><p>(1) strong (whole zone): NSEC3 + not OptOut, Iterations + salt periodly update </p>
<p>(2) relative(whole zone): NSEC3 + not OptOut,Iterations + salt update with KSK/ZSK roll<br></p>
<p>(3) partly (x% secure delegation) : NSEC3 + OptOut,Iterations + salt update with KSK/ZSK roll</p>
<p>(4) simple (x% secure delegation): NSEC3 + OptOut,Iterations = 0, empty salt (such as verisign's .com)</p></div></div></div><div dir="ltr"><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
--<br>
Viktor.<br>
<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
dns-operations mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">致礼 Best Regards<br><br>潘蓝兰 Pan Lanlan<br></div></div>