nsec and nsec3 records

Evan Hunt each at isc.org
Sun Jun 14 02:03:03 UTC 2009

> Can both nsec and nsec3 records be used simultaneously in a zone file,
> or is it an either/or?

Why would you want them both?  If you don't mind the drawbacks of NSEC,
why take on the operational and computational burdens of NSEC3?

To answer the question, while I don't think the RFCs explicitly forbid
it, BIND9 doesn't currently support it.

We do have plans, in a future release, to allow both NSEC and NSEC3 to
exist in a zone--but only as a temporary transitional state when a zone
is being converted from one to another; it wouldn't be persistent.  So,
if you were converting from NSEC to NSEC3, both chains would exist, but
as soon as the NSEC3 chain was complete the NSEC chain would be removed.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list