[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?

Chris Thompson cet1 at cam.ac.uk
Wed Nov 18 17:55:53 UTC 2009

On Nov 18 2009, Edward Lewis wrote:

>At 0:35 +1100 11/19/09, Mark Andrews wrote:
>>Mind you it would make more sense to have optout in the NSEC3PARAM
>>record.  There is no useful purpose to being able to switch optout
>>on and off in a NSEC3 chain and we don't provide a method to do so
>>but will preserve a zone that does do so.
>This is an opinion that is specific to an implementation's design choice.
>You don't have to opt-out an unsigned delegation, but the apparent 
>assumption made in BIND is that if opt-out is used in a zone (toggle 
>on/off) then all unsigned cu tpoints are opted-out.  When the work 
>was done to prepare RFC 5155, there wasn't a global setting for 
>opt-in/opt-out, it was anticipated to be a per cut point decision. 
>The issue is that implementations don't let you specify "make this 
>out-out" or not when adding a cut point, coders generally prefer to 
>infer behavior than ask the user.

It's surely more a matter of there being no defined way of indicating
whether any particular unsigned delegation should be opt-in or opt-out.
Maybe some new $ directive in master file format would suffice to let
dnssec-signzone make that decision, but then what about a delegation
created by a DNS update operation?

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list