[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?

John Dickinson jad at jadickinson.co.uk
Wed Nov 18 13:21:04 UTC 2009

2009/11/18 Stephane Bortzmeyer <bortzmeyer at nic.fr>

> Testing dynamic update together with DNSSEC / NSEC3, I can see that
> BIND 9.7 b2 does not add NSEC3 records when I add only
> non-authoritative data, for instance NS records.
> That's fine, it is exactly what I want but how can BIND read in my
> mind and discover that the zone was signed with opt-out?
> I thought it was using NSEC3PARAM but, while this record indeed stores
> useful things like the number of iterations, the opt-out flag is zero:
> @ IN  NSEC3PARAM 1 0 10 F00DCAFE
> Indeed, the RFC 5155 mandates it:
> 4.1.2.  Flag Fields
>   The Opt-Out flag is not used and is set to zero.
> So:
> 1) Why does RFC 5155 prevent the use of the opt-out flag?

Because the secondaries don't care about opt-out in order to serve the
correct RR's.

> 2) How can BIND find by itself that I use opt-out?

It is only the signer that cares about opt-out - If there is a signer in
bind then there needs to be a setting in the bind zone clause (I guess) that
tells it what to do when signing dynamic updates.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20091118/b3495da3/attachment.html>

More information about the dns-operations mailing list