nsec3 opt-out confusion
klaus.mailinglists at pernau.at
Tue Apr 1 13:35:46 UTC 2014
I use Bind 9.9.5 for inline signing. The zone is configured to use NSEC3
example.com 0 IN NSEC3PARAM 1 0 10 BEEF
Nevertheless, most of the resulting NSEC3 records have the opt-out bit
set and insecure delegations are indeed skipped (no NSEC3 records for
insecure delegations), eg:
V24FPFCF9JU69PJH09ID0VEGDKLSN410.nic.at. 900 IN NSEC3 1 1 10
BEEF 0OTL3SD4PC0BGU4IVRM0DI2OV4DE8QQN A RRSIG
The only NSEC3 records having the opt-out bit cleared are the NSEC3
records for empty non-terminals, eg:
V1PD6GJFRL9AKKJLS8SLSFGE4D506CFN.example.com. 900 IN NSEC3 1 0
10 BEEF V24FPFCF9JU69PJH09ID0VEGDKLSN410
So, I am confused.
1. Why does Bind uses opt-out although it is configured to not use opt-out?
2. What would be the behavior for empty non-terminal NSEC3 records if
opt-out is enabled? Would the generated NSEC3 record still have the
opt-out bit cleared?
More information about the bind-users