[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?

Mark Andrews marka at isc.org
Wed Nov 18 22:33:59 UTC 2009

In message <20091118133900.GA830 at nic.fr>, Stephane Bortzmeyer writes:
> On Wed, Nov 18, 2009 at 01:21:04PM +0000,
>  John Dickinson <jad at jadickinson.co.uk> wrote 
>  a message of 82 lines which said:
> > > 1) Why does RFC 5155 prevent the use of the opt-out flag?
> > 
> > Because the secondaries don't care about opt-out in order to serve
> > the correct RR's.
> OK but, then, why having an Opt-Out flag at all in the NSEC3PARAM
> resource record?

Because there was the intention to add other flags to the NSEC3PARAM
records, things like ADDCHAIN/REMOVECHAIN so that changes could be
done incrementally.  The operation would be done on the chain that
matched ignoring the flags octet and the NSEC3PARAM set would be
updated when the operation completed.

Build and signing a new NSEC3 chain takes time.  Even removing a NSEC3
chain can take a long time.

> > > 2) How can BIND find by itself that I use opt-out?
> > 
> > If there is a signer in bind then there needs to be a setting in the
> > bind zone clause (I guess) that tells it what to do when signing
> > dynamic updates.
> I cannot find such an option in the ARM, even with grep's help. Anyone
> knows its name?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list