I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document is: Ready

This document explains the reasoning behind, and advantages of, NXDOMAIN cut—a method of ensuring that non-existence of a node in the domain name tree implies non-existence of the entire sub-tree.  The solution does seem to require DNSSEC, as mentioned in the security considerations section, to avoid certain DOS circumstances (which are already possible, but potentially amplified by NXDOMAIN cut).


Attachment:


signature.asc




Description:

 Message signed with OpenPGP using GPGMail