[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Nov 18 12:56:38 UTC 2009

Testing dynamic update together with DNSSEC / NSEC3, I can see that
BIND 9.7 b2 does not add NSEC3 records when I add only
non-authoritative data, for instance NS records.

That's fine, it is exactly what I want but how can BIND read in my
mind and discover that the zone was signed with opt-out?

I thought it was using NSEC3PARAM but, while this record indeed stores
useful things like the number of iterations, the opt-out flag is zero:


Indeed, the RFC 5155 mandates it:

4.1.2.  Flag Fields

   The Opt-Out flag is not used and is set to zero.


1) Why does RFC 5155 prevent the use of the opt-out flag?
2) How can BIND find by itself that I use opt-out?

More information about the dns-operations mailing list