NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Marco Davids (SIDN) marco.davids at sidn.nl
Wed Mar 7 09:38:58 UTC 2012


On 03/07/12 10:27, Phil Mayers wrote:
> On 03/07/2012 08:50 AM, Marco Davids (SIDN) wrote:
>> I also find it a bit strange that BIND decides to go for NSEC, even when
>> the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1).
> AS I understand it, NSEC3 incurs overhead at validating resolvers. That 
> being the case, it is unfriendly to use it unless you really need it

I don't have a problem with that. It's just that I find the current way
BIND works a bit tricky. I would feel more comfortable with an explicit
configuration-option in named.conf, rather than a seperate action (being
'rndc signing -nsec3param').

(In the case I *really* want NSEC3 that is, naturally)



More information about the bind-users mailing list