NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)
Mark Andrews
marka at isc.org
Tue Mar 6 23:30:26 UTC 2012
In message <32660394-6C37-4268-9F36-1E73996DC61F at ausregistry.com.au>, Wolfgang
Nagele writes:
> Hi,
>
> > NSEC3PARAM records should be generated by the signing software and
> > not just be added to the zone.
> Who says that? :) I think that is a matter of implementation and preference=
> .
>
> > Their presence/absence changes how
> > the zone is served. In particular how negative and wildcard responses
> > are generated.
> And how is that different from sending them in from a trusted source (your =
> unsigned version, hopefully using TSIG) VS sending them in via another trus=
> ted source (rndc)?
NSEC3PARM is not supposed to be present in a unsigned zone. rndc doesn't
add them to the zone. It tells the signing component to generate a NSEC3
chain and when that is complete to add the NSEC3PARAM record.
> Cheers,
> Wolfgang=
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list