NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)
Wolfgang Nagele
wolfgang.nagele at ausregistry.com.au
Tue Mar 6 23:22:16 UTC 2012
Hi,
> NSEC3PARAM records should be generated by the signing software and
> not just be added to the zone.
Who says that? :) I think that is a matter of implementation and preference.
> Their presence/absence changes how
> the zone is served. In particular how negative and wildcard responses
> are generated.
And how is that different from sending them in from a trusted source (your unsigned version, hopefully using TSIG) VS sending them in via another trusted source (rndc)?
Cheers,
Wolfgang
More information about the bind-users
mailing list