[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?
bortzmeyer at nic.fr
Wed Nov 18 12:56:38 UTC 2009
Testing dynamic update together with DNSSEC / NSEC3, I can see that
BIND 9.7 b2 does not add NSEC3 records when I add only
non-authoritative data, for instance NS records.
That's fine, it is exactly what I want but how can BIND read in my
mind and discover that the zone was signed with opt-out?
I thought it was using NSEC3PARAM but, while this record indeed stores
useful things like the number of iterations, the opt-out flag is zero:
@ IN NSEC3PARAM 1 0 10 F00DCAFE
Indeed, the RFC 5155 mandates it:
4.1.2. Flag Fields
The Opt-Out flag is not used and is set to zero.
1) Why does RFC 5155 prevent the use of the opt-out flag?
2) How can BIND find by itself that I use opt-out?
More information about the dns-operations