[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?

Mark Andrews marka at isc.org
Wed Nov 18 13:35:44 UTC 2009

In message <20091118125638.GA28559 at nic.fr>, Stephane Bortzmeyer writes:
> Testing dynamic update together with DNSSEC / NSEC3, I can see that
> BIND 9.7 b2 does not add NSEC3 records when I add only
> non-authoritative data, for instance NS records.
> That's fine, it is exactly what I want but how can BIND read in my
> mind and discover that the zone was signed with opt-out?
> I thought it was using NSEC3PARAM but, while this record indeed stores
> useful things like the number of iterations, the opt-out flag is zero:
> @ IN  NSEC3PARAM 1 0 10 F00DCAFE
> Indeed, the RFC 5155 mandates it:
> 4.1.2.  Flag Fields
>    The Opt-Out flag is not used and is set to zero.
> So:
> 1) Why does RFC 5155 prevent the use of the opt-out flag?

Over specification.

> 2) How can BIND find by itself that I use opt-out?

The update code looks at the previous NSEC3 record and if it has
optout set and if there is no DS we don't add a NSEC3 record.  If
optout is not set we add a NSEC3 record.  Optout is copied from the
previous NSEC3 record.

Mind you it would make more sense to have optout in the NSEC3PARAM
record.  There is no useful purpose to being able to switch optout
on and off in a NSEC3 chain and we don't provide a method to do so
but will preserve a zone that does do so.

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list