[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?
Chris Thompson
cet1 at cam.ac.uk
Wed Nov 18 17:55:53 UTC 2009
On Nov 18 2009, Edward Lewis wrote:
>At 0:35 +1100 11/19/09, Mark Andrews wrote:
>
>>Mind you it would make more sense to have optout in the NSEC3PARAM
>>record. There is no useful purpose to being able to switch optout
>>on and off in a NSEC3 chain and we don't provide a method to do so
>>but will preserve a zone that does do so.
>
>This is an opinion that is specific to an implementation's design choice.
>
>You don't have to opt-out an unsigned delegation, but the apparent
>assumption made in BIND is that if opt-out is used in a zone (toggle
>on/off) then all unsigned cu tpoints are opted-out. When the work
>was done to prepare RFC 5155, there wasn't a global setting for
>opt-in/opt-out, it was anticipated to be a per cut point decision.
>The issue is that implementations don't let you specify "make this
>out-out" or not when adding a cut point, coders generally prefer to
>infer behavior than ask the user.
It's surely more a matter of there being no defined way of indicating
whether any particular unsigned delegation should be opt-in or opt-out.
Maybe some new $ directive in master file format would suffice to let
dnssec-signzone make that decision, but then what about a delegation
created by a DNS update operation?
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations
mailing list