[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Nov 18 13:39:00 UTC 2009

On Wed, Nov 18, 2009 at 01:21:04PM +0000,
 John Dickinson <jad at jadickinson.co.uk> wrote 
 a message of 82 lines which said:

> > 1) Why does RFC 5155 prevent the use of the opt-out flag?
> Because the secondaries don't care about opt-out in order to serve
> the correct RR's.

OK but, then, why having an Opt-Out flag at all in the NSEC3PARAM
resource record?

> > 2) How can BIND find by itself that I use opt-out?
> If there is a signer in bind then there needs to be a setting in the
> bind zone clause (I guess) that tells it what to do when signing
> dynamic updates.

I cannot find such an option in the ARM, even with grep's help. Anyone
knows its name?

More information about the dns-operations mailing list