Technical Summary
The first draft, draft-ietf-dnsext-dnssec-online-signing
describes how to construct DNSSEC NSEC resource records
that cover a smaller range of names than called for by RFC4034. By
generating and signing these records on demand, authoritative name
servers can effectively stop the disclosure of zone contents
otherwise made possible by walking the chain of NSEC records in a
signed zone.
The other draft, draft-ietf-dnsext-dns-name-p-s describes two
methods for deriving the canonically-ordered predecessor and
successor of a DNS name. These methods may be used for dynamic
NSEC resource record synthesis, enabling security-aware name
servers to provide authenticated denial of existence without
disclosing other owner names in a DNSSEC-secured zone.
Working Group Summary
There was consensus in the DNSEXT WG to publisg the online-signing
draft as Proposed Standards. During IETF Last Call, some people
suggested that this draft would be better published as an
Experimental RFC. However, the WG had discussed the publication
status of both of these drafts explicitly, and the number people who
raised this issue in IETF LC was not sufficient to question the
earlier WG consensus.
Protocol Quality
These documents were reviewed for the IESG by Margaret Wasserman.