<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Sep 14, 2017, at 6:02 PM, Geoff Keating via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 14 Sep 2017, at 12:11 pm, Wayne Thayer via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; font-family: HelveticaNeue; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Thanks Geoff. To be clear, does your proposed language require ‘authentication of an NSEC RRset that proves that no DS RRset is present for this zone’ in order to meet the new condition of the last item, or can an unauthenticated query that returns no DS record be used to meet this condition? If the former, then I wonder if the work to implement this is much different than requiring full support for DNSSEC.</div></div></div></blockquote><div class=""><br class=""></div><div class="">I don’t think we’re trying to require DNSSEC validation, so an unauthenticated query would be evidence.</div><div class=""><br class=""></div><div class="">I do draw your attention to RFC 6840, which clarifies some details, in particular section 4.4 explains the need to check that there’s a NS record served by the same servers that deny existence of a DS record.</div></div></div></div></blockquote><br class=""></div><div>Geoff,</div><div><br class=""></div><div>Thanks for drawing our attention to RFC 6840. It significantly clears up a number of corner cases I’ve seen. For example, section 5.2 covers the case when the zone is signed using algorithms the client doesn’t support and 4.4 makes it clear that delegations covered by opt-out are a proof of insecure delegation.</div><div><br class=""></div><div>I think the 6840 provides enough into to cover the underlying requirement well.</div><div><br class=""></div><div>Thanks,</div><div>Peter</div></body></html>