NSEC3 records not available through a BIND resolver <= 9.5?
Mark Andrews
marka at isc.org
Wed Mar 17 22:58:27 UTC 2010
In message <20100317172506.GB21147 at isc.org>, Evan Hunt writes:
> > BIND <=9.5 doesn't know that it's supposed to pass them in a NXDOMAIN
> > response.
>
> Correct, and whoops. We should have backported at least that much
> knowledge of NSEC3.
Not really. You need a NSEC3 aware path between the validator and
the authoritative servers to use NSEC3. This is no different to
needing a DNSSEC aware path between the validator and the authoritative
server for DNSSEC. Some things just don't work through old servers.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list