Draft: draft-ietf-dnsext-dnssec-online-signing-00 Reviewer: Spencer Dawkins [spencer@mcsr-labs.org] Review Date: Thursday 12/8/2005 8:12 PM CST LC Date: 12/06/05 Telechat Date: 12/15/2005 Summary: this specification is ready for publication as a Proposed Standard. Having said that ... the document is pretty clear on how to solve a problem, but I had to read for a while to figure out what problem was being solved. Could the editors discuss changing the abstract to something like "DNSSEC NSEC resource records as described in RFC 4034 point to "the next" name, proving that no names exist in the "span" between the NSEC's owner name and the name in the "next name" field, but also allowing requestors to "walk the chain" of NSEC resource records and effectively transfer a signed zone's contents, even if "zone transfer is prohibited". This document describes how authoritative name servers can construct DNSSEC NSEC resource records that make it more difficult for a requestor to walk the chain in violation of policy."? My point is that the document wasn't about "construct(ing) DNSSEC NSEC resource records that cover a smaller range of names", it was about prohibiting zone transfers in violation of policy - and you do that by constructing ... The Introduction actually says most of this, it's just not in the Abstract :-) Thanks, and good luck with your IETF Last Call,