NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Wolfgang Nagele wolfgang.nagele at ausregistry.com.au
Tue Mar 6 23:22:16 UTC 2012


> NSEC3PARAM records should be generated by the signing software and
> not just be added to the zone.
Who says that? :) I think that is a matter of implementation and preference.

> Their presence/absence changes how
> the zone is served.  In particular how negative and wildcard responses
> are generated.
And how is that different from sending them in from a trusted source (your unsigned version, hopefully using TSIG) VS sending them in via another trusted source (rndc)?


More information about the bind-users mailing list