[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?

Edward Lewis Ed.Lewis at neustar.biz
Wed Nov 18 22:45:28 UTC 2009

At 17:55 +0000 11/18/09, Chris Thompson wrote:

>Maybe some new $ directive in master file format would suffice to let
>dnssec-signzone make that decision

In that case, it's an implementation detail, not so much a matter for 

>but then what about a delegation
>created by a DNS update operation?

That I would chalk up as a gap in RFC 5155's specification.  I.e. 
"how does one indicate if a domain is eligible for opt-out it is to 
be opted-out.?"  If there is ever an effort to promote DNSSEC and 
NSEC3 to Draft Standard, that ought to be fixed by the IETF.

All said and done, the choice made in BIND is reasonable - but still 
it is a choice of the implementation.
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.

More information about the dns-operations mailing list