DNSKEY dynamic update: unexpected change 9.6.0-P1 -> 9.6.1
Shumon Huque
shuque at isc.upenn.edu
Wed Jul 8 21:31:58 UTC 2009
On Wed, Jul 08, 2009 at 09:20:29PM +0000, Evan Hunt wrote:
> > Is there any reason these flags should not be set by default?
>
> Yes, there is: the code as written uses the NSEC3PARAM record in a
> way that, debatably, could be an RFC violation. We're planning to
> correct this, and turn the feature on by default in 9.7.0. (I can't
> promise, but it may make it into the next alpha release.)
Thanks for the explanation. Since I'm not using NSEC3, I'm going
to assume that it's safe to set the flags.
Can I request that NSEC3-NOTES be updated to mention that these
features need to be turned on explicitly? A configure flag would
be nice. I'd also suggest giving the file a slightly less misleading
name, eg. DNSSEC-DYNAMIC-UPDATE-NOTES. Or putting the text into the
ARM.
> > Also the private type record seems to have changed from 65535 to
> > 65534 but this hasn't been updated in NSEC3-NOTES.
>
> Thank you for pointing that out.
>
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.
--Shumon.
More information about the bind-users
mailing list