NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Marc Lampo marc.lampo at eurid.eu
Wed Mar 7 08:30:06 UTC 2012

Switch from NSEC to NSEC3 !!!
This is a statement with potentially huge consequences, IMHO.

Only valid where DNSSEC algorithms allow either method
 (like algo #8 and algo #10, unsure about others).
For algorithm like #5, NSEC is implied.

So suggesting that it is easy to switch (between NSEC and NSEC3),
 without mentioning the link with the algorithm
 without mentioning the consequences if chain-of-trust is established
   (and (DNSSEC) data might be cached "out there")
is probably not the right thing to do.

(given recent contributions in this list that DNSSEC management is not
easy ...)

Kind regards,

Marc Lampo
Security Officer
EURid (for .eu)

-----Original Message-----

(Also, if you want to switch to NSEC instead of NSEC3, you can use
'rndc signing -nsec3param none'.)

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list