nsec3 in bind 9.7
Evan Hunt
each at isc.org
Tue Feb 23 16:53:59 UTC 2010
> > To answer the question, those values are the NSEC3PARAM data for the
> > zone, as defined in RFC 5155. [...] flags of 1 means opt-out and 0
> > means no opt-out;
>
> It is not exactly what the RFC says:
>
> The Opt-Out flag is not used and is set to zero.
True. I oversimplified a bit.
When you send an NSEC3PARAM record via DDNS, it may be modified before it
actually appears in the zone.
The record you send is a signal to named that you want to change from
NSEC to NSEC3, or change from one NSEC3 chain to another one with
different parameters. The opt-out flag in the record you send is part
of that signal; it indicates whether the new chain should use opt-out
or not.
On receiving such a record, named carries out the NSEC3 transition. The
last step in that transition is placing an NSEC3PARAM record at the zone
apex. *That* record always has opt-out set to zero, per the RFC.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list