NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Evan Hunt each at isc.org
Wed Mar 7 18:46:16 UTC 2012

> - use algo 7 with NSEC allows you to move to NSEC3 without much hassle
> (but older resolvers won't validate your replies meanwhile)
> - use algo 5 with NSEC and you have to do a algorithm rollover first
> when you want to move to NSEC3 (but meanwhile, older resolvers will
> validate your replies).

Yes, exactly.

> Are there still any 'older' resolvers around? Maybe not...

Fewer and fewer, and they mostly aren't using DNSSEC.  (They can't
validate the root zone, after all.)  But after some discussion last
year, we still felt it was too soon to update the default algorithm
in dnssec-keygen.  Maybe in 9.10.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list