NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)
Mark Andrews
marka at isc.org
Tue Mar 6 23:23:19 UTC 2012
In message <DAFE4C5A-DAA9-4D54-8963-A56D9CD9F2F3 at ausregistry.com.au>, Wolfgang
Nagele writes:
> Hi,
>
> Ok that is already a bit better - at least saves a full sign with NSEC first.
> Wondering though, from a user perspective sending in NSEC3PARAM from the uns
> igned end seems like the most natural thing to do. Why complicate matters by
> having to use rndc here?
Because NSEC3PARAM is in-band signaling. With NSEC you have the
apex's NSEC record presence/absence as a signal. With NSEC3 you
have multiple NSEC3 chains and you need to know the NSEC3 parameters
to find the NSEC3 record for the apex. One could do that by tracking
all the NSEC3 records on a per parameter set basis then looking for
the presence/absence of the NSEC3 record for the apex or use a
seperate type NSEC3PARAM.
With both NSEC and NSEC3 you can have partial chains, to support
incremental signing, and you don't want to use them until they are
complete.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list