[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?

Edward Lewis Ed.Lewis at neustar.biz
Wed Nov 18 14:07:10 UTC 2009

At 0:35 +1100 11/19/09, Mark Andrews wrote:

>Mind you it would make more sense to have optout in the NSEC3PARAM
>record.  There is no useful purpose to being able to switch optout
>on and off in a NSEC3 chain and we don't provide a method to do so
>but will preserve a zone that does do so.

This is an opinion that is specific to an implementation's design choice.

You don't have to opt-out an unsigned delegation, but the apparent 
assumption made in BIND is that if opt-out is used in a zone (toggle 
on/off) then all unsigned cu tpoints are opted-out.  When the work 
was done to prepare RFC 5155, there wasn't a global setting for 
opt-in/opt-out, it was anticipated to be a per cut point decision. 
The issue is that implementations don't let you specify "make this 
out-out" or not when adding a cut point, coders generally prefer to 
infer behavior than ask the user.

Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.

More information about the dns-operations mailing list