nsec3 opt-out confusion (bug report)

Klaus Darilion klaus.mailinglists at pernau.at
Tue Apr 1 16:00:11 UTC 2014

On 01.04.2014 17:09, Chris Thompson wrote:
> On Apr 1 2014, Klaus Darilion wrote:
> [...]
>> Nevertheless, it seems there are still two bugs:
>> 1. The NSEC3 chain is not properly cleared when switching from
>> non-opt-out to opt-out
>> 2. The NSEC3PARAM record always has the opt-out flag clear, even if
>> opt-out is activated.
> That last, at least, is not a bug. It is mandated by RFC 5155 - see
> section 4.1.2.

Indeed. Thanks. That's confusing. From the RFC:

> The NSEC3PARAM RR contains the NSEC3 parameters (hash algorithm,
>    flags, iterations, and salt) needed by authoritative servers to
>    calculate hashed owner names

So it can be used to instruct the authoritative name server about 
iterations, algorithm and salt, but not for flags. What is the reason 
behind this rule?

> This was really nic.at (and not example.com), wasn't it? Your domain
> obfustication was half-hearted! I tried looking at it, but things
> were changing too fast for me to get consistent results...

Yes, half hearted. It is now stable again. The "zombie" NSEC3 records 
left over from a switch to opt-out were causing problems on validating 


More information about the bind-users mailing list