[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?
Edward Lewis
Ed.Lewis at neustar.biz
Wed Nov 18 14:07:10 UTC 2009
At 0:35 +1100 11/19/09, Mark Andrews wrote:
>Mind you it would make more sense to have optout in the NSEC3PARAM
>record. There is no useful purpose to being able to switch optout
>on and off in a NSEC3 chain and we don't provide a method to do so
>but will preserve a zone that does do so.
This is an opinion that is specific to an implementation's design choice.
You don't have to opt-out an unsigned delegation, but the apparent
assumption made in BIND is that if opt-out is used in a zone (toggle
on/off) then all unsigned cu tpoints are opted-out. When the work
was done to prepare RFC 5155, there wasn't a global setting for
opt-in/opt-out, it was anticipated to be a per cut point decision.
The issue is that implementations don't let you specify "make this
out-out" or not when adding a cut point, coders generally prefer to
infer behavior than ask the user.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
More information about the dns-operations
mailing list