[dns-operations] NSEC3 with empty non-terminals from insecure delegations

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Sep 18 15:18:50 UTC 2016

On Sun, Sep 18, 2016 at 04:37:44PM +0300,
 Emil Natan <shlyoko at gmail.com> wrote 
 a message of 122 lines which said:

> I have a case where two signing tools (BIND/dnssec-signzone and
> OpenDNSSEC) disagree on the way a zonefile should be signed and I'm
> looking for your opinion on which behavior you consider correct (or
> "more correct").

There will be a detailed talk on this issue at the next OARC workshop

IMHO, both tools are right (the RFC could be clearer on that corner
case) but some validators (most important being Google Public DNS)
have trouble with BIND's solution.

More information about the dns-operations mailing list