[dns-operations] BIND version and NSEC3

Jeremy C. Reed reed at reedmedia.net
Fri May 15 18:10:53 UTC 2009

On Fri, 15 May 2009, Gani, Paul * wrote:

> I understand BIND 9.6 is the first version that fully supports NSEC3.
> But how about if you're not interested in performing DNSSEC resolutions,
> but just want to host an NSEC3 zone?  Will BIND 9.5 support creation of
> NSEC3 keys?

BIND 9.5's dnssec-signzone doesn't know NSEC3.

BIND 9.5's dnssec-keygen doesn't know NSEC3RSASHA1.

>  How about hosting a NSEC3 signed zone file as either a
> master or slave?

BIND 9.5 doesn't know NSEC3PARAM or NSEC3 and will complain about unknown 
RR type and won't load.

Also with DNSSEC, when status is NOERROR, a DNSSEC-enabled server also 
sends back (in the authority section) the NSEC record for the requested 
label and class. This will show that the requested TYPE doesn't exist. 
When the status is NXDOMAIN, a DNSSEC-enabled server also sends back (in 
the authority section), an NSEC record for the previous label which will 
show the alphabetical next label. But your zone doesn't have NSEC ...

So using BIND that doesn't know NSEC3, it won't send back NSEC3. (And 
newer dnssec-signzone doesn't create both NSEC and NSEC3 so can't use that 
as an idea.)

(In my testing attempts I used custom TYPE51 and TYPE50 and convert the 
data to the custom format. I have done that and served zone with NSEC3 
with old BIND 9.3.5-P2, but that authoritative server doesn't do anything 
special with the NSEC3PARAM. And any request for something that should 
have been proven non-existent with NSEC3 failed. Also requests for 
wildcards and NSEC3 records failed.)

You can see examples of custom TYPE50 and TYPE51 by using an old dig.

(Please consider using the bind-users list.)

More information about the dns-operations mailing list