nsec3 opt-out confusion (bug report)

Klaus Darilion klaus.mailinglists at pernau.at
Tue Apr 1 14:43:36 UTC 2014

It seems Bind is a bit broken. I just removed NSEC3 and added NSEC3 
again with "1 0 10 BEEF", and suddenly all NSEC3 records had the opt-out 
flag clear.

Then I changed NSEC3 params to "1 1 10 BEEF". Then almost all NSEC3 
records had the opt-out flag set, but two NSEC3 records still had the 
flag clear. These two NSEC3 records correspond with empty non-terminal 
records for an insecure delegation (I guess they are not needed at all 
as the delegation is insecure and were forgotten to be deleted)

Then I removed NSEC3 and added NSEC3 params "1 1 10 BEEF". This time all 
the NSEC3 records had the opt-out flag set, but the NSEC3PARAM record shows:

Thus, it seems that I had opt-out activated, but the broken NSEC3PARAM 
header made me believe that opt-out was not enabled.

Nevertheless, it seems there are still two bugs:
1. The NSEC3 chain is not properly cleared when switching from 
non-opt-out to opt-out
2. The NSEC3PARAM record always has the opt-out flag clear, even if 
opt-out is activated.

Finally a question: The NSEC3 RFC allows a mixed opt-out mode within a 
zone. Is this used by Bind or does Bind always either use opt-out or 


On 01.04.2014 15:35, Klaus Darilion wrote:
> Hi!
> I use Bind 9.9.5 for inline signing. The zone is configured to use NSEC3
> without opt-out:
> example.com                 0       IN      NSEC3PARAM 1 0 10 BEEF
> Nevertheless, most of the resulting NSEC3 records have the opt-out bit
> set and insecure delegations are indeed skipped (no NSEC3 records for
> insecure delegations), eg:
> V24FPFCF9JU69PJH09ID0VEGDKLSN410.nic.at.      900 IN NSEC3      1 1 10
> The only NSEC3 records having the opt-out bit cleared are the NSEC3
> records for empty non-terminals, eg:
> V1PD6GJFRL9AKKJLS8SLSFGE4D506CFN.example.com.      900 IN NSEC3      1 0
> So, I am confused.
> 1. Why does Bind uses opt-out although it is configured to not use opt-out?
> 2. What would be the behavior for empty non-terminal NSEC3 records if
> opt-out is enabled? Would the generated NSEC3 record still have the
> opt-out bit cleared?
> Thanks
> Klaus
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list