NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Phil Mayers p.mayers at imperial.ac.uk
Wed Mar 7 09:48:32 UTC 2012

On 03/07/2012 09:38 AM, Marco Davids (SIDN) wrote:

>> AS I understand it, NSEC3 incurs overhead at validating resolvers. That
>> being the case, it is unfriendly to use it unless you really need it
> I don't have a problem with that. It's just that I find the current way
> BIND works a bit tricky. I would feel more comfortable with an explicit
> configuration-option in named.conf, rather than a seperate action (being
> 'rndc signing -nsec3param').
> (In the case I *really* want NSEC3 that is, naturally)

Ah sorry, I misunderstood you.

Can't comment on the NSEC3 usability side of things; it's not something 
I've ever used outside the lab, and I didn't find it particularly onerous.

More information about the bind-users mailing list