NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Mark Andrews marka at isc.org
Tue Mar 6 23:23:19 UTC 2012

In message <DAFE4C5A-DAA9-4D54-8963-A56D9CD9F2F3 at ausregistry.com.au>, Wolfgang 
Nagele writes:
> Hi,
> Ok that is already a bit better - at least saves a full sign with NSEC first.
>  Wondering though, from a user perspective sending in NSEC3PARAM from the uns
> igned end seems like the most natural thing to do. Why complicate matters by 
> having to use rndc here?

Because NSEC3PARAM is in-band signaling.  With NSEC you have the
apex's NSEC record presence/absence as a signal.  With NSEC3 you
have multiple NSEC3 chains and you need to know the NSEC3 parameters
to find the NSEC3 record for the apex.  One could do that by tracking
all the NSEC3 records on a per parameter set basis then looking for
the presence/absence of the NSEC3 record for the apex or use a
seperate type NSEC3PARAM.

With both NSEC and NSEC3 you can have partial chains, to support
incremental signing, and you don't want to use them until they are

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list