NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)
Marco Davids (SIDN)
marco.davids at sidn.nl
Wed Mar 7 09:38:58 UTC 2012
Phil,
On 03/07/12 10:27, Phil Mayers wrote:
> On 03/07/2012 08:50 AM, Marco Davids (SIDN) wrote:
>
>> I also find it a bit strange that BIND decides to go for NSEC, even when
>> the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1).
>>
> AS I understand it, NSEC3 incurs overhead at validating resolvers. That
> being the case, it is unfriendly to use it unless you really need it
I don't have a problem with that. It's just that I find the current way
BIND works a bit tricky. I would feel more comfortable with an explicit
configuration-option in named.conf, rather than a seperate action (being
'rndc signing -nsec3param').
(In the case I *really* want NSEC3 that is, naturally)
Regards,
--
Marco
More information about the bind-users
mailing list