nsec3 opt-out confusion (bug report)
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Apr 1 16:00:11 UTC 2014
On 01.04.2014 17:09, Chris Thompson wrote:
> On Apr 1 2014, Klaus Darilion wrote:
>
> [...]
>> Nevertheless, it seems there are still two bugs:
>> 1. The NSEC3 chain is not properly cleared when switching from
>> non-opt-out to opt-out
>> 2. The NSEC3PARAM record always has the opt-out flag clear, even if
>> opt-out is activated.
>
> That last, at least, is not a bug. It is mandated by RFC 5155 - see
> section 4.1.2.
Indeed. Thanks. That's confusing. From the RFC:
> The NSEC3PARAM RR contains the NSEC3 parameters (hash algorithm,
> flags, iterations, and salt) needed by authoritative servers to
> calculate hashed owner names
So it can be used to instruct the authoritative name server about
iterations, algorithm and salt, but not for flags. What is the reason
behind this rule?
> This was really nic.at (and not example.com), wasn't it? Your domain
> obfustication was half-hearted! I tried looking at it, but things
> were changing too fast for me to get consistent results...
Yes, half hearted. It is now stable again. The "zombie" NSEC3 records
left over from a switch to opt-out were causing problems on validating
resolvers.
regards
Klaus
More information about the bind-users
mailing list