NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Mark Andrews marka at isc.org
Tue Mar 6 23:30:26 UTC 2012

In message <32660394-6C37-4268-9F36-1E73996DC61F at ausregistry.com.au>, Wolfgang 
Nagele writes:
> Hi,
> > NSEC3PARAM records should be generated by the signing software and
> > not just be added to the zone.
> Who says that? :) I think that is a matter of implementation and preference=
> .
> > Their presence/absence changes how
> > the zone is served.  In particular how negative and wildcard responses
> > are generated.
> And how is that different from sending them in from a trusted source (your =
> unsigned version, hopefully using TSIG) VS sending them in via another trus=
> ted source (rndc)?

NSEC3PARM is not supposed to be present in a unsigned zone.  rndc doesn't
add them to the zone.  It tells the signing component to generate a NSEC3
chain and when that is complete to add the NSEC3PARAM record.
> Cheers,
> Wolfgang=
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list