[dns-operations] How can BIND find itself that I used NSEC3 with opt-out?
Edward Lewis
Ed.Lewis at neustar.biz
Wed Nov 18 22:45:28 UTC 2009
At 17:55 +0000 11/18/09, Chris Thompson wrote:
>Maybe some new $ directive in master file format would suffice to let
>dnssec-signzone make that decision
In that case, it's an implementation detail, not so much a matter for
interoperability.
>but then what about a delegation
>created by a DNS update operation?
That I would chalk up as a gap in RFC 5155's specification. I.e.
"how does one indicate if a domain is eligible for opt-out it is to
be opted-out.?" If there is ever an effort to promote DNSSEC and
NSEC3 to Draft Standard, that ought to be fixed by the IETF.
All said and done, the choice made in BIND is reasonable - but still
it is a choice of the implementation.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
More information about the dns-operations
mailing list