[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?

Roy Arends roy at dnss.ec
Wed Nov 18 13:44:54 UTC 2009

On Nov 18, 2009, at 1:56 PM, Stephane Bortzmeyer wrote:

> Testing dynamic update together with DNSSEC / NSEC3, I can see that
> BIND 9.7 b2 does not add NSEC3 records when I add only
> non-authoritative data, for instance NS records.
> That's fine, it is exactly what I want but how can BIND read in my
> mind and discover that the zone was signed with opt-out?
> I thought it was using NSEC3PARAM but, while this record indeed stores
> useful things like the number of iterations, the opt-out flag is zero:
> @ IN  NSEC3PARAM 1 0 10 F00DCAFE
> Indeed, the RFC 5155 mandates it:
> 4.1.2.  Flag Fields
>   The Opt-Out flag is not used and is set to zero.
> So:
> 1) Why does RFC 5155 prevent the use of the opt-out flag?

The NSEC3PARAM is solely to inform secondaries which hash algorithm, iterations and salt it needs to use, and optionally some of the flags that might be allocated in the future. Since it is not needed to inform secondaries of opt-out, the opt-out flag is set to zero in the NSEC3PARAM record.

> 2) How can BIND find by itself that I use opt-out?

I think by implication. If the update happens to be in an opt-out span, no need to add nsec3 records for it. But this is really the wrong list for these questions. Try the BIND users list: https://lists.isc.org/mailman/listinfo/bind-users


More information about the dns-operations mailing list