NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Wolfgang Nagele wolfgang.nagele at ausregistry.com.au
Tue Mar 6 23:33:24 UTC 2012


Hi,

> NSEC3PARM is not supposed to be present in a unsigned zone.  rndc doesn't
> add them to the zone.  It tells the signing component to generate a NSEC3
> chain and when that is complete to add the NSEC3PARAM record.
Nothing says so in the specs: http://tools.ietf.org/html/rfc5155#section-4

You just add complexity by having the user enter the same information twice and possibly failing to do it right.

Cheers,
Wolfgang


More information about the bind-users mailing list