[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?
John Dickinson
jad at jadickinson.co.uk
Wed Nov 18 13:21:04 UTC 2009
2009/11/18 Stephane Bortzmeyer <bortzmeyer at nic.fr>
> Testing dynamic update together with DNSSEC / NSEC3, I can see that
> BIND 9.7 b2 does not add NSEC3 records when I add only
> non-authoritative data, for instance NS records.
>
> That's fine, it is exactly what I want but how can BIND read in my
> mind and discover that the zone was signed with opt-out?
>
> I thought it was using NSEC3PARAM but, while this record indeed stores
> useful things like the number of iterations, the opt-out flag is zero:
>
> @ IN NSEC3PARAM 1 0 10 F00DCAFE
>
> Indeed, the RFC 5155 mandates it:
>
> 4.1.2. Flag Fields
>
> The Opt-Out flag is not used and is set to zero.
>
> So:
>
> 1) Why does RFC 5155 prevent the use of the opt-out flag?
>
Because the secondaries don't care about opt-out in order to serve the
correct RR's.
> 2) How can BIND find by itself that I use opt-out?
>
It is only the signer that cares about opt-out - If there is a signer in
bind then there needs to be a setting in the bind zone clause (I guess) that
tells it what to do when signing dynamic updates.
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20091118/b3495da3/attachment.html>
More information about the dns-operations
mailing list