[dns-operations] BIND 9.7 in-band signalling for automatic signing

João Damas joao at bondis.org
Tue Dec 15 16:00:21 UTC 2009


From the instructions bundled with BIND 9.7, it seems that the dynamic update way of initiating automatic signing with this new version (it's a new, nice, feature) is by sending a dynamic update to create an NSEC3PARAM RR. So far so good.
Now, if you also want to tell it to use opt-out the chosen approach seems to be to set the opt-out flag in that new NSEC3PARAM RR. Currently, the RFC says:

> 4.1.2.  Flag Fields
> 
> 
>  The Opt-Out flag is not used and is set to zero.
> 
>  All other flags are reserved for future use, and must be zero.
> 
>  NSEC3PARAM RRs with a Flags field value other than zero MUST be
>  ignored.

the first sentence is not a must, not sure what sort of declaration it is, really.
The third sentence, however, is quite damning.

Question is: Is this NSEC3PARAM going to cause interoperability problem with secondary servers not running BIND that discard it because it is not conformant? What other surprises will this trigger? Are others taking the liberal approach of just ignoring the flags since sw is not meant to do anything with them right now?

Joao

PS: maybe what gets published in the zone is an nsec3param with the flag cleared? shall check this later. (if not, perhaps that can be the way out of non-conformance, keep the flag just as a signaling mechanism that is not reflected in the zone itself?)





More information about the dns-operations mailing list