[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?
jad at jadickinson.co.uk
Wed Nov 18 13:21:04 UTC 2009
2009/11/18 Stephane Bortzmeyer <bortzmeyer at nic.fr>
> Testing dynamic update together with DNSSEC / NSEC3, I can see that
> BIND 9.7 b2 does not add NSEC3 records when I add only
> non-authoritative data, for instance NS records.
> That's fine, it is exactly what I want but how can BIND read in my
> mind and discover that the zone was signed with opt-out?
> I thought it was using NSEC3PARAM but, while this record indeed stores
> useful things like the number of iterations, the opt-out flag is zero:
> @ IN NSEC3PARAM 1 0 10 F00DCAFE
> Indeed, the RFC 5155 mandates it:
> 4.1.2. Flag Fields
> The Opt-Out flag is not used and is set to zero.
> 1) Why does RFC 5155 prevent the use of the opt-out flag?
Because the secondaries don't care about opt-out in order to serve the
> 2) How can BIND find by itself that I use opt-out?
It is only the signer that cares about opt-out - If there is a signer in
bind then there needs to be a setting in the bind zone clause (I guess) that
tells it what to do when signing dynamic updates.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations